Incorrect Access Control Affecting octavia package, versions [,0.9.0)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-OCTAVIA-174798
- published 28 May 2019
- disclosed 27 May 2019
- credit Nir Magnezi
Introduced: 27 May 2019
CVE-2019-3895 Open this link in a new tabHow to fix?
Upgrade octavia
to version 0.9.0 or higher.
Overview
octavia is an operator-grade reference implementation for Load Balancing as a Service (LBaaS) for OpenStack.
Affected versions of this package are vulnerable to Incorrect Access Control. _extract_amp_image_id_by_tag
within octavia/compute/drivers/nova_driver.py
does not filter images and use images owned by pre-defined tenant. This could allow any non-admin tenant to tag an image with the 'amphora' tag and set it to public=True
.
Note: Exploitation of this vulnerability requires configuration of your instance to allow any tenant to post public images, which is not enabled in default configuration.