{"id":"GHSA-p258-xmh3-72pv","summary":"OpenStack Compute (Nova) allows remote authenticated users to gain privileges via API requests","details":"The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.","aliases":["CVE-2014-0167"],"modified":"2025-04-13T23:18:20Z","published":"2022-05-17T04:41:34Z","database_specific":{"severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-862"],"github_reviewed_at":"2023-02-08T18:04:25Z","nvd_published_at":"2014-04-15T14:55:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0167"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2014:1084"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2014-0167"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1084868"},{"type":"WEB","url":"https://launchpad.net/bugs/1290537"},{"type":"PACKAGE","url":"https://opendev.org/openstack/nova"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2014/04/09/26"},{"type":"WEB","url":"http://www.ubuntu.com/usn/USN-2247-1"}],"affected":[{"package":{"name":"nova","ecosystem":"PyPI","purl":"pkg:pypi/nova"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2013.1.0"},{"fixed":"2013.2.4"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p258-xmh3-72pv/GHSA-p258-xmh3-72pv.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"}]}