Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 23 May 2014 14:27:44 -0400
From: Tristan Cacqueray <>
Subject: [OSSA 2014-016] Heat template URL information leakage (CVE-2014-3801)

OpenStack Security Advisory: 2014-016
CVE: CVE-2014-3801
Date: May 23, 2014
Title: Heat template URL information leakage
Reporter: Jason Dunsmore (Rackspace)
Products: Heat
Versions: 2013.2 to 2013.2.3, and 2014.1

Jason Dunsmore from Rackspace reported a vulnerability in Heat. An
authenticated user may temporarily see the URL of a provider template
used in another tenant by listing heat resources types. This may result
in disclosure of additional information if the template itself can be
accessed. The URL disappears from the listing after a certain point in
the stack creation. All Heat setups are affected.

Juno (development branch) fix:

Icehouse fix:

Havana fix:

This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.


Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ