CVE-2012-3361 : virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), an

virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image.

Published 2012-07-22 16:55:48

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2012-3361

Openstack » Essex » Version: 2012.1
cpe:2.3:a:openstack:essex:2012.1:*:*:*:*:*:*:*
Matching versions
Openstack » Diablo » Version: 2011.3
cpe:2.3:a:openstack:diablo:2011.3:*:*:*:*:*:*:*
Matching versions
Openstack » Folsom » Version: 2012.2
cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2012-3361

EPSS FAQ

1.38%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2012-3361

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.5	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:P	8.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2012-3361

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-3361

https://bugs.launchpad.net/nova/+bug/1015531

Bug #1015531 “Remote arbitrary file corruption / creation flaw v...” : Bugs : OpenStack Compute (nova)

CVEs referencing this url
https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7

Prevent file injection writing to host filesystem. · openstack/nova@2427d4a · GitHub
Exploit;Patch

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html

[SECURITY] Fedora 16 Update: openstack-nova-2011.3.1-11.fc16
http://www.ubuntu.com/usn/USN-1497-1

USN-1497-1: Nova vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://lists.launchpad.net/openstack/msg14089.html

[OSSA 2012-008] Arbitrary file injection/corruption through directory traversal issues (CVE-2012-3360, CVE-2012-3361) : Mailing list archive : openstack team in Launchpad

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html

[SECURITY] Fedora 17 Update: openstack-nova-2012.1.1-3.fc17

CVEs referencing this url
http://www.securityfocus.com/bid/54278

OpenStack Nova CVE-2012-3361 Memory Corruption Vulnerability
http://secunia.com/advisories/49802

Sign in
Vendor Advisory

CVEs referencing this url
https://review.openstack.org/#/c/9268/

review.opendev Code Review
https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9

Prevent file injection writing to host filesystem. · openstack/nova@b0feaff · GitHub
Exploit;Patch

CVEs referencing this url
http://secunia.com/advisories/49763

Sign in
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2012-3361

Products affected by CVE-2012-3361

Exploit prediction scoring system (EPSS) score for CVE-2012-3361

CVSS scores for CVE-2012-3361

CWE ids for CVE-2012-3361

References for CVE-2012-3361