CVE-2013-4278

Publication date 16 September 2013

Last updated 4 August 2025

Ubuntu priority

The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nova	13.10 saucy	Not affected
	13.04 raring	Fixed 1:2013.1.3-0ubuntu1.1
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not in release

Notes

seth-arnold

An incomplete fix for CVE-2013-2256 caused this vulnerability

jdstrand

The version of nova in Ubuntu 13.04 in raring-updates needs this fix flavor_access.py API extension not available on Essex (Ubuntu 12.04 LTS) Ubuntu 12.10 still vulnerable to CVE-2013-2256 so it is not affected by this CVE

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
nova	Upstream: 4054cc4 Upstream: 8b68619 Upstream: 6825959

References

Related Ubuntu Security Notices (USN)