CVE-2013-1838: OpenStack Compute (Nova) Denial of service via a large number of calls to the addFixedIp function
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.79764%
CWE
Published
5/17/2022
Updated
11/26/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
nova | pip | < 12.0.0a0 | 12.0.0a0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing quota enforcement in the fixed IP allocation process. The patch adds quota checks (QUOTAS.reserve/commit) to allocate_fixed_ip in nova/network/manager.py, confirming this was the vulnerable point. The function's pre-patch version allowed unlimited fixed IP associations without tracking usage against a project quota, making it the clear attack vector. The CWE-770 (unlimited resource allocation) classification and commit diff further validate this assessment.