OSSA-2013-034: Heat CFN policy rules not all enforced¶
December 11, 2013
Heat: All supported releases
Steven Hardy from Red Hat reported a vulnerability in Heat’s default API policy enforcement. By calling the CreateStack or UpdateStack methods, an in-instance user may be able to create or update a stack in violation of the default policy. Only setups using Heat’s cloudformation-compatible API are affected.
Steven Hardy from Red Hat (CVE-2013-6426)