CVE 2015-0259
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
Related bugs and status
CVE-2015-0259 (Candidate) is related to these bugs:
Bug #1409142: [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1409142 | [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | OpenStack Compute (nova) | High | Fix Released | ||
1409142 | [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | OpenStack Security Advisory | Medium | Fix Released | ||
1409142 | [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | OpenStack Compute (nova) juno | High | Fix Released | ||
1409142 | [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | OpenStack Compute (nova) icehouse | High | Fix Released |
Bug #1420273: Nova console Cross-Site WebSocket hijacking
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1420273 | Nova console Cross-Site WebSocket hijacking | Mirantis OpenStack | High | Fix Released | ||
1420273 | Nova console Cross-Site WebSocket hijacking | Mirantis OpenStack 5.0.x | Critical | Won't Fix | ||
1420273 | Nova console Cross-Site WebSocket hijacking | Mirantis OpenStack 6.1.x | High | Fix Released | ||
1420273 | Nova console Cross-Site WebSocket hijacking | Mirantis OpenStack 5.1.x | Critical | Fix Released | ||
1420273 | Nova console Cross-Site WebSocket hijacking | Mirantis OpenStack 6.0.x | Critical | Fix Released |
Bug #1474079: Cross-site web socket connections fail on Origin and Host header mismatch
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1474079 | Cross-site web socket connections fail on Origin and Host header mismatch | OpenStack Compute (nova) | Undecided | Fix Released |
See the
CVE page on Mitre.org
for more details.