QwikSec

Security Database

CVE

CWE

Training

CVE-2013-6419

Published: Jan 7, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that is bound to a port, which is not properly handled by (1) api/metadata/handler.py in Nova and (2) the neutron-metadata-agent (agent/metadata/agent.py) in Neutron.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

vdb-entry

x_refsource_BID

https://review.openstack.org/#/c/61428/2/nova/api/metadata/handler.py

x_refsource_MISC

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

[oss-security] 20131211 [OSSA 2013-033] Metadata queries from Neutron to Nova are not restricted by tenant (CVE-2013-6419)

mailing-list

x_refsource_MLIST

https://review.openstack.org/#/c/61439/1/neutron/agent/metadata/agent.py

x_refsource_MISC

https://bugs.launchpad.net/neutron/+bug/1235450

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.