CVE-2012-3361 - OpenCVE

virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openstack	Diablo Essex Folsom

Configuration 1 [-]

OR	cpe:2.3:a:openstack:diablo:2011.3:::::::*
	cpe:2.3:a:openstack:essex:2012.1:::::::*
	cpe:2.3:a:openstack:folsom:2012.2:::::::*

No data.

References

Link	Providers
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html
http://secunia.com/advisories/49763
http://secunia.com/advisories/49802
http://www.securityfocus.com/bid/54278
http://www.ubuntu.com/usn/USN-1497-1
https://bugs.launchpad.net/nova/+bug/1015531
https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7
https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9
https://lists.launchpad.net/openstack/msg14089.html
https://review.openstack.org/#/c/9268/

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-07-22T16:00:00

Updated: 2024-08-06T20:05:12.062Z

Reserved: 2012-06-14T00:00:00

Link: CVE-2012-3361

Vulnrichment

No data.

NVD

Status : Modified

Published: 2012-07-22T16:55:48.227

Modified: 2012-08-17T03:53:53.677

Link: CVE-2012-3361

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-06-03T00:00:00", "descriptions": [{"lang": "en", "value": "virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2012-07-25T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "49763", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/49763"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://review.openstack.org/#/c/9268/"}, {"name": "54278", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/54278"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/nova/+bug/1015531"}, {"name": "49802", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/49802"}, {"name": "FEDORA-2012-10418", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html"}, {"name": "[openstack] 20120603 [OSSA 2012-008] Arbitrary file injection/corruption through directory traversal issues (CVE-2012-3360, CVE-2012-3361)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.launchpad.net/openstack/msg14089.html"}, {"name": "FEDORA-2012-10420", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9"}, {"name": "USN-1497-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1497-1"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T20:05:12.062Z"}, "title": "CVE Program Container", "references": [{"name": "49763", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/49763"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://review.openstack.org/#/c/9268/"}, {"name": "54278", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/54278"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/nova/+bug/1015531"}, {"name": "49802", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/49802"}, {"name": "FEDORA-2012-10418", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html"}, {"name": "[openstack] 20120603 [OSSA 2012-008] Arbitrary file injection/corruption through directory traversal issues (CVE-2012-3360, CVE-2012-3361)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.launchpad.net/openstack/msg14089.html"}, {"name": "FEDORA-2012-10420", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9"}, {"name": "USN-1497-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1497-1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-3361", "datePublished": "2012-07-22T16:00:00", "dateReserved": "2012-06-14T00:00:00", "dateUpdated": "2024-08-06T20:05:12.062Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:diablo:2011.3:*:*:*:*:*:*:*", "matchCriteriaId": "65FA489C-5FDC-4887-9F1F-66177F87DB5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:essex:2012.1:*:*:*:*:*:*:*", "matchCriteriaId": "E5FDB43F-B315-4F68-9D86-B644F2D4DF9A", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*", "matchCriteriaId": "E76B76AB-D744-4163-8615-7BA18ABB1347", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image."}, {"lang": "es", "value": "virt/disk/api.py en OpenStack Compute (Nova) Folsom (2.012,2), Essex (2.012,1) y Diablo (2.011,3) permite a usuarios remotos autenticados sobrescribir archivos arbitrarios a trav\u00e9s de un ataque de enlace simb\u00f3lico un archivo en una imagen."}], "id": "CVE-2012-3361", "lastModified": "2012-08-17T03:53:53.677", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-07-22T16:55:48.227", "references": [{"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/49763"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/49802"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/54278"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-1497-1"}, {"source": "secalert@redhat.com", "url": "https://bugs.launchpad.net/nova/+bug/1015531"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9"}, {"source": "secalert@redhat.com", "url": "https://lists.launchpad.net/openstack/msg14089.html"}, {"source": "secalert@redhat.com", "url": "https://review.openstack.org/#/c/9268/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}