CVE-2014-2573: OpenStack Nova VMWare driver leaks rescued images

May 17, 2022 (updated May 14, 2024)

The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image.

References

bugs.launchpad.net/nova/+bug/1269418
github.com/advisories/GHSA-jv34-xvjq-ppch
github.com/openstack/nova
github.com/openstack/nova/commit/b3cc3f62a60662e5bb82136c0cfa464592a6afe9
github.com/openstack/nova/commit/efb66531bc37ee416778a70d46c657608ca767af
nvd.nist.gov/vuln/detail/CVE-2014-2573

Detect and mitigate CVE-2014-2573 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →