CVE-2013-4278 Information

Description

The \create an instance\ API in OpenStack Compute (Nova) Folsom Grizzly and Havana does not properly enforce the os-flavor-access:is_public property which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.

Reference

http://lists.openstack.org/pipermail/openstack-announce/2013-August/000138.html http://rhn.redhat.com/errata/RHSA-2013-1199.html https://bugs.launchpad.net/ossa/+bug/1212179