Source: nova
Version: 2013.2.2-4
Severity: important
Tags: security

Reporter: Marc Heckmann (Ubisoft)
Products: Nova
Versions: 2013.1 versions up to 2013.2.3

Description:
Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API
security group implementation. RBAC policies are not enforced when using
the EC2 API, in particular the add_rules, remove_rules and destroy
methods. A restricted user may overcome his limitation by using EC2 API
resulting in unauthorized action on security groups. Only setups using
non-default RBAC rules for Nova may be affected.


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to