Source: nova Version: 2013.2.2-4 Severity: important Tags: security Reporter: Marc Heckmann (Ubisoft) Products: Nova Versions: 2013.1 versions up to 2013.2.3
Description: Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API security group implementation. RBAC policies are not enforced when using the EC2 API, in particular the add_rules, remove_rules and destroy methods. A restricted user may overcome his limitation by using EC2 API resulting in unauthorized action on security groups. Only setups using non-default RBAC rules for Nova may be affected. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

