OSSA-2013-035: Heat ReST API doesn’t respect tenant scoping

Date:December 11, 2013
CVE:CVE-2013-6428

Affects

  • Heat: All supported releases

Description

Steven Hardy from Red Hat reported a vulnerability in the Heat ReST API. By changing the request path, an authenticated client may override their tenant scope resulting in privilege escalation. Only setups exposing the Heat orchestration ReST interface are affected.

Credits

  • Steven Hardy from Red Hat (CVE-2013-6428)