Vulnerabilites related to apache - libcloud
cve-2010-4340
Vulnerability from cvelistv5
Published
2011-09-11 20:00
Modified
2024-09-17 01:35
Severity ?
EPSS score ?
Summary
libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack.
References
| ▼ | URL | Tags |
|---|---|---|
| http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201009.mbox/%3C5860913.463891285776633273.JavaMail.jira%40thor%3E | mailing-list, x_refsource_MLIST | |
| http://wiki.apache.org/incubator/LibcloudSSL | x_refsource_MISC | |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598463 | x_refsource_CONFIRM | |
| http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201011.mbox/browser | mailing-list, x_refsource_MLIST | |
| https://issues.apache.org/jira/browse/LIBCLOUD-55 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:43:14.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[libcloud] 20100929 [jira] Closed: (LIBCLOUD-55) this python project is vulnerable to MITM as it fails to verify the ssl validity of the remote destination.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201009.mbox/%3C5860913.463891285776633273.JavaMail.jira%40thor%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://wiki.apache.org/incubator/LibcloudSSL"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598463"
},
{
"name": "[libcloud] 20101108 SSL certs checking",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201011.mbox/browser"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/LIBCLOUD-55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-09-11T20:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[libcloud] 20100929 [jira] Closed: (LIBCLOUD-55) this python project is vulnerable to MITM as it fails to verify the ssl validity of the remote destination.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201009.mbox/%3C5860913.463891285776633273.JavaMail.jira%40thor%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://wiki.apache.org/incubator/LibcloudSSL"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598463"
},
{
"name": "[libcloud] 20101108 SSL certs checking",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201011.mbox/browser"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/LIBCLOUD-55"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-4340",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[libcloud] 20100929 [jira] Closed: (LIBCLOUD-55) this python project is vulnerable to MITM as it fails to verify the ssl validity of the remote destination.",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201009.mbox/%3C5860913.463891285776633273.JavaMail.jira@thor%3E"
},
{
"name": "http://wiki.apache.org/incubator/LibcloudSSL",
"refsource": "MISC",
"url": "http://wiki.apache.org/incubator/LibcloudSSL"
},
{
"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598463",
"refsource": "CONFIRM",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598463"
},
{
"name": "[libcloud] 20101108 SSL certs checking",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201011.mbox/browser"
},
{
"name": "https://issues.apache.org/jira/browse/LIBCLOUD-55",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/LIBCLOUD-55"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-4340",
"datePublished": "2011-09-11T20:00:00Z",
"dateReserved": "2010-11-30T00:00:00Z",
"dateUpdated": "2024-09-17T01:35:31.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-3446
Vulnerability from cvelistv5
Published
2012-11-04 22:00
Modified
2024-08-06 20:05
Severity ?
EPSS score ?
Summary
Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
References
| ▼ | URL | Tags |
|---|---|---|
| https://svn.apache.org/repos/asf/libcloud/trunk/CHANGES | x_refsource_CONFIRM | |
| http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:12.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://svn.apache.org/repos/asf/libcloud/trunk/CHANGES"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-11-04T22:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://svn.apache.org/repos/asf/libcloud/trunk/CHANGES"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3446",
"datePublished": "2012-11-04T22:00:00Z",
"dateReserved": "2012-06-14T00:00:00Z",
"dateUpdated": "2024-08-06T20:05:12.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-6480
Vulnerability from cvelistv5
Published
2014-01-07 18:00
Modified
2024-08-06 17:39
Severity ?
EPSS score ?
Summary
Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/64617 | vdb-entry, x_refsource_BID | |
| http://libcloud.apache.org/security.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/archive/1/530624/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://digitalocean.com/blog_posts/transparency-regarding-data-security | x_refsource_MISC | |
| http://lists.opensuse.org/opensuse-updates/2014-02/msg00015.html | vendor-advisory, x_refsource_SUSE | |
| https://github.com/fog/fog/issues/2525 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "64617",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/64617"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://libcloud.apache.org/security.html"
},
{
"name": "20140101 [CVE-2013-6480] Libcloud doesn\u0027t send scrub_data query parameter when destroying a DigitalOcean node",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/530624/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://digitalocean.com/blog_posts/transparency-regarding-data-security"
},
{
"name": "openSUSE-SU-2014:0198",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00015.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fog/fog/issues/2525"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "64617",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/64617"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://libcloud.apache.org/security.html"
},
{
"name": "20140101 [CVE-2013-6480] Libcloud doesn\u0027t send scrub_data query parameter when destroying a DigitalOcean node",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/530624/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://digitalocean.com/blog_posts/transparency-regarding-data-security"
},
{
"name": "openSUSE-SU-2014:0198",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00015.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fog/fog/issues/2525"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6480",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "64617",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64617"
},
{
"name": "http://libcloud.apache.org/security.html",
"refsource": "CONFIRM",
"url": "http://libcloud.apache.org/security.html"
},
{
"name": "20140101 [CVE-2013-6480] Libcloud doesn\u0027t send scrub_data query parameter when destroying a DigitalOcean node",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/530624/100/0/threaded"
},
{
"name": "https://digitalocean.com/blog_posts/transparency-regarding-data-security",
"refsource": "MISC",
"url": "https://digitalocean.com/blog_posts/transparency-regarding-data-security"
},
{
"name": "openSUSE-SU-2014:0198",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00015.html"
},
{
"name": "https://github.com/fog/fog/issues/2525",
"refsource": "MISC",
"url": "https://github.com/fog/fog/issues/2525"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6480",
"datePublished": "2014-01-07T18:00:00",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2011-09-12 12:41
Modified
2024-11-21 01:20
Severity ?
Summary
libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:libcloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38B0947F-E9E0-4E8C-901D-FAB7A22B3A6A",
"versionEndIncluding": "0.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:libcloud:0.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "711C1876-35C7-4153-B344-1D461E6BED80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:libcloud:0.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "12AD59FE-8AD1-41C5-B9AC-F51EA7E07086",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:libcloud:0.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15A06412-37E3-471A-B022-C1B8D3C5B7F0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack."
},
{
"lang": "es",
"value": "Las versiones de Libcloud antes de la v0.4.1 no verifican los certificados SSL para conexiones HTTPS, lo que permite a atacantes remotos falsificar certificados y eludir las restricciones de acceso a trav\u00e9s de un ataque de hombre en el medio (MITM)."
}
],
"id": "CVE-2010-4340",
"lastModified": "2024-11-21T01:20:44.027",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-09-12T12:41:27.473",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598463"
},
{
"source": "secalert@redhat.com",
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201009.mbox/%3C5860913.463891285776633273.JavaMail.jira%40thor%3E"
},
{
"source": "secalert@redhat.com",
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201011.mbox/browser"
},
{
"source": "secalert@redhat.com",
"url": "http://wiki.apache.org/incubator/LibcloudSSL"
},
{
"source": "secalert@redhat.com",
"url": "https://issues.apache.org/jira/browse/LIBCLOUD-55"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598463"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201009.mbox/%3C5860913.463891285776633273.JavaMail.jira%40thor%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201011.mbox/browser"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.apache.org/incubator/LibcloudSSL"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.apache.org/jira/browse/LIBCLOUD-55"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-11-04 22:55
Modified
2024-11-21 01:40
Severity ?
Summary
Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:libcloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BA84103-FCEF-4050-A42D-3CDFACD04B52",
"versionEndExcluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate."
},
{
"lang": "es",
"value": "Apache Libcloud antes de v0.11.1 usa una expresi\u00f3n regular incorrecta durante la comprobaci\u00f3n de si el nombre del servidor coincide con un nombre de dominio en el nombre com\u00fan (CN) del sujeto o con el campo subjectAltName del certificado X.509, lo que permite falsificar servidores SSL a atacantes man-in-the-middle mediante un certificado v\u00e1lido de su elecci\u00f3n."
}
],
"id": "CVE-2012-3446",
"lastModified": "2024-11-21T01:40:53.643",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2012-11-04T22:55:03.060",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes"
],
"url": "https://svn.apache.org/repos/asf/libcloud/trunk/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://svn.apache.org/repos/asf/libcloud/trunk/CHANGES"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-01-07 18:55
Modified
2024-11-21 01:59
Severity ?
Summary
Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:libcloud:0.12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0B8F110F-AFFA-456E-A7C7-8F6D08BEA53B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:libcloud:0.12.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC50FE5-886C-4B1D-B0E4-9C0162B33CDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:libcloud:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9017DE0C-D528-4414-B490-B99509A12726",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:libcloud:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "13AACA2B-74EC-4DC4-BE0E-06807E4C0892",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:libcloud:0.13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "610F2077-8358-4CC3-A94F-5D420C2D5FBB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM."
},
{
"lang": "es",
"value": "Libcloud versiones 0.12.3 hasta 0.13.2, no ajusta el par\u00e1metro scrub_data para la API destroy DigitalOcean, que permite a los usuarios locales obtener informaci\u00f3n confidencial mediante el aprovechamiento de una nueva m\u00e1quina virtual."
}
],
"id": "CVE-2013-6480",
"lastModified": "2024-11-21T01:59:18.697",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-01-07T18:55:07.083",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://libcloud.apache.org/security.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00015.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/530624/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/64617"
},
{
"source": "secalert@redhat.com",
"url": "https://digitalocean.com/blog_posts/transparency-regarding-data-security"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/fog/fog/issues/2525"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://libcloud.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/530624/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/64617"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://digitalocean.com/blog_posts/transparency-regarding-data-security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/fog/fog/issues/2525"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}