CVE-2012-2654

The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.

Published: Jun 21, 2012
Updated: Apr 13, 2023
CVE: CVE-2012-2654
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
openstack / compute	2012.2	2012.2.x
openstack / essex	2012.1	2012.1.x
openstack / diablo	2011.3	2011.3.x

http://secunia.com/advisories/46808
http://secunia.com/advisories/49439
http://www.ubuntu.com/usn/USN-1466-1
https://bugs.launchpad.net/nova/+bug/985184
https://exchange.xforce.ibmcloud.com/vulnerabilities/76110
https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978
https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654
https://lists.launchpad.net/openstack/msg12883.html
https://review.openstack.org/#/c/8239/

Vulnerability Database

289,697

CVE-2012-2654