OSSA-2013-034: Heat CFN policy rules not all enforced

OSSA-2013-034: Heat CFN policy rules not all enforced

Date:December 11, 2013
CVE:CVE-2013-6426

Affects

  • Heat: All supported releases

Description

Steven Hardy from Red Hat reported a vulnerability in Heat’s default API policy enforcement. By calling the CreateStack or UpdateStack methods, an in-instance user may be able to create or update a stack in violation of the default policy. Only setups using Heat’s cloudformation-compatible API are affected.

Credits

  • Steven Hardy from Red Hat (CVE-2013-6426)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.