Insecure Enforcement of os-flavor-access:is_public Property in OpenStack Compute (Nova) API

Insecure Enforcement of os-flavor-access:is_public Property in OpenStack Compute (Nova) API

CVE-2013-4278 · LOW Severity

AV:N/AC:M/AU:S/C:P/I:N/A:N

The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.

Learn more about our Api Penetration Testing.