Описание
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
It was discovered that the OpenStack Compute (nova) console websocket did not correctly verify the origin header. An attacker could use this flaw to conduct a cross-site websocket hijack attack. Note that only Compute setups with VNC or SPICE enabled were affected by this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenStack Platform 4 | openstack-nova | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 | openstack-nova | Fixed | RHSA-2015:0844 | 16.04.2015 |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 | openstack-nova | Fixed | RHSA-2015:0843 | 16.04.2015 |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | openstack-nova | Fixed | RHSA-2015:0790 | 07.04.2015 |
Показывать по
Дополнительная информация
Статус:
4.9 Medium
CVSS2
Связанные уязвимости
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, an ...
OpenStack Compute (Nova) has Insufficient Verification of Data Authenticity
4.9 Medium
CVSS2