WebSocket Authentication Hijacking in OpenStack Nova
CVE-2015-0259

Currently unrated

Key Information:

Vendor: Openstack
Status: Nova
Vendor: CVE Published:; 1 April 2015

Summary

OpenStack Compute (Nova) versions prior to 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 lack proper validation for the origin of WebSocket requests. This flaw allows remote attackers to potentially hijack user authentication to gain unauthorized access to console sessions by leveraging specially crafted web pages. Administrators should ensure they update to the latest versions to mitigate the risk associated with this vulnerability.

References

http://lists.openstack.org/pipermail/openstack-announce/2...

mailing-listx_refsource_MLIST

http://rhn.redhat.com/errata/RHSA-2015-0844.html

vendor-advisoryx_refsource_REDHAT

http://rhn.redhat.com/errata/RHSA-2015-0790.html

vendor-advisoryx_refsource_REDHAT

Timeline

Vulnerability published
Apr 1, 2015
Vulnerability Reserved
Nov 18, 2014