[CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when
destroying a DigitalOcean node
Vendor: Apache Software Foundation
Project: Apache Libcloud (http://libcloud.apache.org/)
Affected Versions: Apache Libcloud 0.12.3 to 0.13.3 (version prior to
0.12.3 don't include a DigitalOcean driver)
DigitalOcean recently changed the default API behavior from scrub to
non-scrub when destroying a VM.
Libcloud doesn't explicitly send "scrub_data" query parameter when
destroying a node. This means nodes which are destroyed using Libcloud
are vulnerable to later customers stealing data contained on them.
Note: Only users who are using DigitalOcean driver are affected by this issue.
- - http://libcloud.apache.org/security.html
- - https://digitalocean.com/blog_posts/transparency-regarding-data-security
- - https://github.com/fog/fog/issues/2525
This vulnerability has been fixed in version 0.13.3. Users who use
DigitalOcean driver are strongly encouraged to upgrade to this