CVE-2013-4497

NameCVE-2013-4497
DescriptionThe XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nova (PTS)jessie2014.1.3-11fixed
stretch (security), stretch (lts), stretch2:14.0.0-4+deb9u1fixed
buster (security), buster, buster (lts)2:18.1.0-6+deb10u2fixed
bullseye2:22.0.1-2+deb11u1fixed
bullseye (security)2:22.4.0-1~deb11u5fixed
bookworm (security), bookworm2:26.2.2-1~deb12u3fixed
trixie2:30.0.0-3fixed
sid2:30.0.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
novasourcewheezy(not affected)
novasource(unstable)2013.2-1

Notes

[wheezy] - nova <not-affected> (OpenStack Essex is not affected)
https://bugs.launchpad.net/nova/+bug/1073306
https://github.com/openstack/nova/commit/ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
https://bugs.launchpad.net/nova/+bug/1202266
https://github.com/openstack/nova/commit/5cced7a6dd32d231c606e25dbf762d199bf9cca7

Search for package or bug name: Reporting problems