VNC Token Vulnerability in OpenStack Compute by OpenStack
CVE-2013-0335

Currently unrated

Key Information:

Vendor: Openstack
Status: Essex; Folsom; Grizzly
Vendor: CVE Published:; 22 March 2013

Summary

The OpenStack Compute (Nova) service's handling of VNC tokens has a significant vulnerability where remote authenticated users can exploit opportunistic circumstances. This allows them to access a virtual machine (VM) using the VNC token associated with a deleted VM that shares the same VNC port. This could result in unauthorized access to sensitive data or control over unintended VMs, highlighting the need for improved access control mechanisms within the Nova service.

References

http://www.osvdb.org/90657

vdb-entryx_refsource_OSVDB

http://secunia.com/advisories/52728

third-party-advisoryx_refsource_SECUNIA

https://bugs.launchpad.net/nova/+bug/1125378

x_refsource_CONFIRM

Timeline

Vulnerability published
Mar 22, 2013
Vulnerability Reserved
Dec 6, 2012