Workflow

PyPi: Nova

CVE-2014-3517

Safety vulnerability ID: 35556

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Aug 07, 2014 Updated at Dec 17, 2024
Scan your Python projects for vulnerabilities →

Advisory

api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.

Affected package

nova

Latest version: 30.0.0

Cloud computing fabric controller

Affected versions

Fixed versions

Vulnerability changelog

api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.


MLIST:[oss-security] 20140717 [OSSA 2014-024] Use of non-constant time comparison operation (CVE-2014-3517): http://www.openwall.com/lists/oss-security/2014/07/17/2
CONFIRM:https://bugs.launchpad.net/nova/+bug/1325128: https://bugs.launchpad.net/nova/+bug/1325128

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 4.3

CVSS v2 Details

MEDIUM 4.3
Access Vector (AV)
NETWORK
Access Complexity (AC)
MEDIUM
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
NONE
Availability Impact (A)
NONE