Date: Fri, 23 May 2014 14:27:44 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-016] Heat template URL information leakage (CVE-2014-3801) OpenStack Security Advisory: 2014-016 CVE: CVE-2014-3801 Date: May 23, 2014 Title: Heat template URL information leakage Reporter: Jason Dunsmore (Rackspace) Products: Heat Versions: 2013.2 to 2013.2.3, and 2014.1 Description: Jason Dunsmore from Rackspace reported a vulnerability in Heat. An authenticated user may temporarily see the URL of a provider template used in another tenant by listing heat resources types. This may result in disclosure of additional information if the template itself can be accessed. The URL disappears from the listing after a certain point in the stack creation. All Heat setups are affected. Juno (development branch) fix: https://review.openstack.org/89695 Icehouse fix: https://review.openstack.org/94625 Havana fix: https://review.openstack.org/94644 Notes: This fix will be included in the juno-1 development milestone and in future 2013.2.4 and 2014.1.1 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3801 https://launchpad.net/bugs/1311223 -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ