CVE-2014-0134: OpenStack Nova host data leak to vm instance in rescue mode

May 17, 2022 (updated May 14, 2024)

The instance rescue mode in OpenStack Compute (Nova) 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and use_cow_images is set to false, allows remote authenticated users to read certain compute host files by overwriting an instance disk with a crafted image.

References

bugs.launchpad.net/nova/+bug/1221190
github.com/advisories/GHSA-w429-xc55-hc48
github.com/openstack/nova
github.com/openstack/nova/commit/25e761acd56d4c820273fc0245ada06c500c1637
github.com/openstack/nova/commit/d416f4310bb946b4b127201ec3c37e530d988714
github.com/openstack/nova/commit/dc8de426066969a3f0624fdc2a7b29371a2d55bf
nvd.nist.gov/vuln/detail/CVE-2014-0134

Detect and mitigate CVE-2014-0134 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →