OSSA-2011-001: Path traversal issues registering malicious images using EC2 API¶
December 13, 2011
Nova: All versions
David Black reported two issues in OpenStack Nova’s support for EC2 RegisterImage action. By registering images from malicious tarballs or manifests, an attacker could potentially traverse directories and overwrite files with the rights of the user Nova runs under. Only setups allowing the EC2 API and the S3/RegisterImage method for registering images are affected.
David Black (CVE-2011-4596)