OSSA-2013-035: Heat ReST API doesn’t respect tenant scoping

OSSA-2013-035: Heat ReST API doesn’t respect tenant scoping¶

Date:: December 11, 2013
CVE:: CVE-2013-6428

Affects¶

Heat: All supported releases

Description¶

Steven Hardy from Red Hat reported a vulnerability in the Heat ReST API. By changing the request path, an authenticated client may override their tenant scope resulting in privilege escalation. Only setups exposing the Heat orchestration ReST interface are affected.

Patches¶

https://review.openstack.org/#/c/61456 (Havana)
https://review.openstack.org/#/c/61455 (Icehouse)

Credits¶

Steven Hardy from Red Hat (CVE-2013-6428)

References¶

this page last updated: 2024-03-18 15:52:07

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.