{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-04-09T00:00:00", "descriptions": [{"lang": "en", "value": "The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-06-19T14:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20140409 [OSSA 2014-011] RBAC policy not properly enforced in Nova EC2 API  (CVE-2014-0167)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/04/09/26"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.net/bugs/1290537"}, {"name": "USN-2247-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2247-1"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:05:38.956Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20140409 [OSSA 2014-011] RBAC policy not properly enforced in Nova EC2 API  (CVE-2014-0167)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/04/09/26"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://launchpad.net/bugs/1290537"}, {"name": "USN-2247-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2247-1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-0167", "datePublished": "2014-04-15T14:00:00", "dateReserved": "2013-12-03T00:00:00", "dateUpdated": "2024-08-06T09:05:38.956Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:compute:2013.1:*:*:*:*:*:*:*", "matchCriteriaId": "6DE1DE9A-0D08-448B-AF80-7ACA236F2A83", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:compute:2013.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "A1A5AAEB-0A8F-4ECF-B184-6A78B882817A", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:compute:2013.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "E8596FDB-87DD-4D06-9923-75EFE7E3F9A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:compute:2013.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "FA06A9A5-0924-4137-85AF-DB9C7C246DAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:compute:2013.2:*:*:*:*:*:*:*", "matchCriteriaId": "ABDB4817-2E89-48AF-AA9E-C92966A7100F", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:compute:2013.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "5778F972-FB4B-49D1-8EE0-5E8B7AE74D38", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:compute:2013.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "D43CFCC4-8A0A-4B8D-847E-0CD092B684E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:compute:2013.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "76E07164-57B7-4B0A-994E-3431FD8CF7F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:icehouse:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC112BBD-F3D2-4192-B11A-B99D54B08D99", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests."}, {"lang": "es", "value": "En la implementaci\u00f3n del grupo de seguridad Nova EC2 API en OpenStack Compute (Nova) 2013.1 anterior a 2013.2.4 y icehouse anteior icehouse-rc2 no fuerza pol\u00edticas RBAC para (1) add_rules, (2) remove_rules, (3) destroy, y otros m\u00e9todos no especificados en compute/api.py cuando hace uso de pol\u00edticas no por defecto, lo que permite a los usuarios remotos autenticados obtener privilegios a trav\u00e9s de estas peticiones API."}], "id": "CVE-2014-0167", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-15T14:55:04.200", "references": [{"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://www.openwall.com/lists/oss-security/2014/04/09/26"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2247-1"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://launchpad.net/bugs/1290537"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.openwall.com/lists/oss-security/2014/04/09/26"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2247-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://launchpad.net/bugs/1290537"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Openstack Project for reporting this issue. Upstream acknowledges Marc Heckmann (Ubisoft) as the original reporter.", "affected_release": [{"advisory": "RHSA-2014:1084", "cpe": "cpe:/a:redhat:openstack:4::el6", "package": "openstack-nova-0:2013.2.3-12.el6ost", "product_name": "OpenStack 4 for RHEL 6", "release_date": "2014-08-21T00:00:00Z"}], "bugzilla": {"description": "openstack-nova: RBAC policy not properly enforced in Nova EC2 API", "id": "1084868", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1084868"}, "csaw": false, "cvss": {"cvss_base_score": "6.0", "cvss_scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-862", "details": ["The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.", "It was found that RBAC policies were not enforced in certain methods of the OpenStack Compute EC2 (Amazon Elastic Compute Cloud) API. A remote attacker could use this flaw to escalate their privileges beyond the user group they were originally restricted to. Note that only certain setups using non-default RBAC rules for OpenStack Compute were affected."], "name": "CVE-2014-0167", "package_state": [{"cpe": "cpe:/a:redhat:openstack:5::el6", "fix_state": "Affected", "package_name": "openstack-nova", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)"}, {"cpe": "cpe:/a:redhat:openstack:3", "fix_state": "Affected", "package_name": "openstack-nova", "product_name": "Red Hat OpenStack Platform 3"}], "public_date": "2014-04-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-0167\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0167"], "threat_severity": "Moderate"}