CVE-2012-3360 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when used over libvirt-based hypervisors, allows remote authenticated users to write arbitrary files to the disk image via a .. (dot dot) in the path attribute of a file element.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openstack	Essex Folsom

Configuration 1 [-]

OR	cpe:2.3:a:openstack:essex:2012.1:::::::*
	cpe:2.3:a:openstack:folsom:2012.2:::::::*

No data.

References

Link	Providers
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html
http://secunia.com/advisories/49763
http://secunia.com/advisories/49802
http://www.securityfocus.com/bid/54277
http://www.ubuntu.com/usn/USN-1497-1
https://bugs.launchpad.net/nova/+bug/1015531
https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7
https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9
https://lists.launchpad.net/openstack/msg14089.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-07-22T16:00:00

Updated: 2024-08-06T20:05:12.510Z

Reserved: 2012-06-14T00:00:00

Link: CVE-2012-3360

Vulnrichment

No data.

NVD

Status : Modified

Published: 2012-07-22T16:55:45.853

Modified: 2024-11-21T01:40:42.273

Link: CVE-2012-3360

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-06-03T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when used over libvirt-based hypervisors, allows remote authenticated users to write arbitrary files to the disk image via a .. (dot dot) in the path attribute of a file element."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2012-07-25T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "54277", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/54277"}, {"name": "49763", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/49763"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/nova/+bug/1015531"}, {"name": "49802", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/49802"}, {"name": "[openstack] 20120603 [OSSA 2012-008] Arbitrary file injection/corruption through directory traversal issues (CVE-2012-3360, CVE-2012-3361)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.launchpad.net/openstack/msg14089.html"}, {"name": "FEDORA-2012-10420", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9"}, {"name": "USN-1497-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1497-1"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T20:05:12.510Z"}, "title": "CVE Program Container", "references": [{"name": "54277", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/54277"}, {"name": "49763", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/49763"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/nova/+bug/1015531"}, {"name": "49802", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/49802"}, {"name": "[openstack] 20120603 [OSSA 2012-008] Arbitrary file injection/corruption through directory traversal issues (CVE-2012-3360, CVE-2012-3361)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.launchpad.net/openstack/msg14089.html"}, {"name": "FEDORA-2012-10420", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9"}, {"name": "USN-1497-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1497-1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-3360", "datePublished": "2012-07-22T16:00:00", "dateReserved": "2012-06-14T00:00:00", "dateUpdated": "2024-08-06T20:05:12.510Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:essex:2012.1:*:*:*:*:*:*:*", "matchCriteriaId": "E5FDB43F-B315-4F68-9D86-B644F2D4DF9A", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*", "matchCriteriaId": "E76B76AB-D744-4163-8615-7BA18ABB1347", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when used over libvirt-based hypervisors, allows remote authenticated users to write arbitrary files to the disk image via a .. (dot dot) in the path attribute of a file element."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en virt/disk/api.py en OpenStack Compute (Nova) Folsom (2.012,2) y Essex (2.012,1), cuando se utiliza durante libvirt basados ??en hipervisores, permite a usuarios remotos autenticados escribir archivos arbitrarios a la imagen de disco a trav\u00e9s de un. . (punto punto) en el atributo de ruta de un elemento de archivo"}], "id": "CVE-2012-3360", "lastModified": "2024-11-21T01:40:42.273", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-07-22T16:55:45.853", "references": [{"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/49763"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/49802"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/54277"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-1497-1"}, {"source": "secalert@redhat.com", "url": "https://bugs.launchpad.net/nova/+bug/1015531"}, {"source": "secalert@redhat.com", "url": "https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9"}, {"source": "secalert@redhat.com", "url": "https://lists.launchpad.net/openstack/msg14089.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/49763"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/49802"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/54277"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-1497-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugs.launchpad.net/nova/+bug/1015531"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.launchpad.net/openstack/msg14089.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}