Launchpad CVE tracker

CVE 2015-0259

OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

Related bugs and status

CVE-2015-0259 (Candidate) is related to these bugs:

Bug #1409142: [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259)

		In	Importance	Status
1409142	[OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259)	OpenStack Compute (nova)	High	Fix Released
1409142	[OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259)	OpenStack Security Advisory	Medium	Fix Released
1409142	[OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259)	OpenStack Compute (nova) juno	High	Fix Released
1409142	[OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259)	OpenStack Compute (nova) icehouse	High	Fix Released

Bug #1420273: Nova console Cross-Site WebSocket hijacking

		In	Importance	Status
1420273	Nova console Cross-Site WebSocket hijacking	Mirantis OpenStack	High	Fix Released
1420273	Nova console Cross-Site WebSocket hijacking	Mirantis OpenStack 5.0.x	Critical	Won't Fix
1420273	Nova console Cross-Site WebSocket hijacking	Mirantis OpenStack 6.1.x	High	Fix Released
1420273	Nova console Cross-Site WebSocket hijacking	Mirantis OpenStack 5.1.x	Critical	Fix Released
1420273	Nova console Cross-Site WebSocket hijacking	Mirantis OpenStack 6.0.x	Critical	Fix Released

Bug #1474079: Cross-site web socket connections fail on Origin and Host header mismatch

Summary				In	Importance	Status
	1474079	Cross-site web socket connections fail on Origin and Host header mismatch		OpenStack Compute (nova)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2015-0259

References