CVE-2012-3360

Name of the Vulnerable Software and Affected Versions OpenStack Compute (Nova) versions 2012.1 through 2012.2

Description The issue allows remote authenticated users to write arbitrary files to the disk image via a .. (dot dot) in the path attribute of a file element, specifically in virt/disk/api.py, when used over libvirt-based hypervisors.

Recommendations For versions 2012.1 and 2012.2, consider restricting access to the virt/disk/api.py module to minimize the risk of exploitation. As a temporary workaround, avoid using the path attribute of a file element in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.