OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Nova | Openstack | 2014.1 | * |
Nova | Openstack | 2014.2 | * |
Nova | Openstack | 2015.1.0 | 2015.1.0 |
Nova | Openstack | 2015.1.0 | 2015.1.0 |