CVE-2013-4278

Name of the Vulnerable Software and Affected Versions OpenStack Compute (Nova) versions Folsom through Havana

Description The issue is related to the "create an instance" API, which does not properly enforce the os-flavor-access:is public property. This allows remote authenticated users to boot arbitrary flavors by guessing the flavor id.

Recommendations For OpenStack Compute (Nova) versions Folsom through Havana, as a temporary workaround, consider restricting access to the "create an instance" API until a proper fix is applied. Avoid using the os-flavor-access:is public property in a way that relies on its enforcement by the API. At the moment, there is no information about a newer version that contains a fix for this vulnerability.