Date: Wed, 11 Dec 2013 15:52:50 +0000 From: Jeremy Stanley <jeremy@...nstack.org> To: oss-security@...ts.openwall.com Subject: [OSSA 2013-035] Heat ReST API doesn't respect tenant scoping (CVE-2013-6428) OpenStack Security Advisory: 2013-035 CVE: CVE-2013-6428 Date: December 11, 2013 Title: Heat ReST API doesn't respect tenant scoping Reporter: Steven Hardy (Red Hat) Products: Heat Affects: All supported releases Description: Steven Hardy from Red Hat reported a vulnerability in the Heat ReST API. By changing the request path, an authenticated client may override their tenant scope resulting in privilege escalation. Only setups exposing the Heat orchestration ReST interface are affected. Icehouse (development branch) fix: https://review.openstack.org/61455 Havana fix: https://review.openstack.org/61456 Notes: This fix will be included in the icehouse-2 development milestone and in a future 2013.2.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6428 https://launchpad.net/bugs/1256983 -- Jeremy Stanley OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (967 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.