Search for packages
| purl | pkg:pypi/nova@21.2.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1p1c-fevy-bydg
Aliases: CVE-2015-0259 GHSA-x8xr-rm9r-7mvf |
Insufficient Verification of Data Authenticity It was discovered that the OpenStack Compute (nova) console websocket does not correctly verify the origin header. An attacker could use this flaw to conduct a cross-site websocket hijack attack. Note that only Compute setups with VNC or SPICE enabled were affected by this flaw. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5nfz-1bk3-93fe
Aliases: CVE-2015-3241 GHSA-3vx7-xff6-h2vx |
OpenStack Nova instance migration process does not stop when instance is deleted OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then deleting an instance. |
Affected by 0 other vulnerabilities. |
|
VCID-5tkb-w761-4qc6
Aliases: CVE-2013-2030 GHSA-pxxv-rv32-2qgv PYSEC-2013-45 |
keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora. | There are no reported fixed by versions. |
|
VCID-6n3z-x4zj-4bez
Aliases: CVE-2015-7713 GHSA-67rh-9p29-vrxr |
OpenStack Compute (Nova) allows remote attackers to bypass intended restriction A vulnerability was discovered in the way OpenStack Compute (nova) networking handled security group updates; changes were not applied to already running VM instances. A remote attacker could use this flaw to access running VM instances. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bauj-n7jg-gkd2
Aliases: CVE-2014-3708 GHSA-43hc-pwvx-pmfg |
OpenStack Compute (Nova) Denial of Service vulnerability A denial of service flaw was found in the way OpenStack Compute (nova) looked up VM instances based on an IP address filter. An attacker with sufficient privileges on an OpenStack installation with a large amount of VMs could use this flaw to cause the main nova process to block for an extended amount of time. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-br4q-499g-vqhg
Aliases: CVE-2022-47951 GHSA-7h75-hwxx-qpgc |
OpenStack Cinder, glance, and Nova vulnerable to Path Traversal An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-e6ne-73mv-73bc
Aliases: CVE-2024-40767 GHSA-rm86-h44c-2r2m |
OpenStack Nova vulnerable to unauthorized access to potentially sensitive data In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-ek6e-977t-3bew
Aliases: CVE-2015-3280 GHSA-mfmj-gwg3-vhw7 |
OpenStack Compute (nova) allows remote authenticated users to cause a denial of service A flaw was found in the way OpenStack Compute (nova) handled the resize state. If an authenticated user deleted an instance while it was in the resize state, it could cause the original instance to not be deleted from the compute node it was running on, allowing the user to cause a denial of service. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ex1j-py3q-93hv
Aliases: CVE-2014-3517 GHSA-xjmj-p278-4jp5 |
Exposure of Sensitive Information to an Unauthorized Actor api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-h6rd-5p7q-s3gq
Aliases: CVE-2024-32498 GHSA-r4v4-w9pv-6fph |
OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected. | There are no reported fixed by versions. |
|
VCID-m5vc-4my3-87gk
Aliases: CVE-2022-37394 GHSA-v725-c588-h936 |
OpenStack Nova Changing vnic_type breaks compute service restart An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and then changing the vnic_type of the bound port to macvtap, an authenticated user may cause the compute service to fail to restart, resulting in a possible denial of service. Only Nova deployments configured with SR-IOV are affected. |
Affected by 4 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qb9p-rpza-5fa5
Aliases: CVE-2013-2256 GHSA-5mj6-643f-2g85 |
OpenStack Compute (Nova) allows remote authenticated users to obtain sensitive information CVE-2013-2256 OpenStack: Nova private flavors resource limit circumvention |
Affected by 1 other vulnerability. |
|
VCID-s69v-tc7x-37fe
Aliases: CVE-2026-24708 GHSA-m4f3-qp2w-gwh6 |
OpenStack Nova calls qemu-img without format restrictions for resize An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected. | There are no reported fixed by versions. |
|
VCID-sj2k-uq1g-suby
Aliases: CVE-2013-4179 GHSA-j6xh-q826-55jw |
Improper Restriction of Operations within the Bounds of a Memory Buffer CVE-2013-4179 OpenStack: Nova XML entities DoS |
Affected by 0 other vulnerabilities. |
|
VCID-x5k4-dm9d-xkf7
Aliases: CVE-2014-3608 GHSA-92hc-c226-32q7 |
OpenStack Compute (Nova)'s VMWare driver vulnerable to denial of service CVE-2014-3608 openstack-nova: incomplete fix for CVE-2014-2573, Nova VMware driver still leaks rescued images |
Affected by 0 other vulnerabilities. |
|
VCID-zwuz-pgjz-rkb9
Aliases: CVE-2021-3654 GHSA-vqp6-j452-j6wp |
URL Redirection to Untrusted Site ('Open Redirect') A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. |
Affected by 15 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||