OSSA-2013-035: Heat ReST API doesn’t respect tenant scoping¶
December 11, 2013
Heat: All supported releases
Steven Hardy from Red Hat reported a vulnerability in the Heat ReST API. By changing the request path, an authenticated client may override their tenant scope resulting in privilege escalation. Only setups exposing the Heat orchestration ReST interface are affected.
Steven Hardy from Red Hat (CVE-2013-6428)