OSSA-2014-016: Heat template URL information leakage

OSSA-2014-016: Heat template URL information leakage¶

Date:: May 23, 2014
CVE:: CVE-2014-3801

Affects¶

Heat: 2013.2 to 2013.2.3, and 2014.1

Description¶

Jason Dunsmore from Rackspace reported a vulnerability in Heat. An authenticated user may temporarily see the URL of a provider template used in another tenant by listing heat resources types. This may result in disclosure of additional information if the template itself can be accessed. The URL disappears from the listing after a certain point in the stack creation. All Heat setups are affected.

Patches¶

https://review.openstack.org/#/c/94644 (Havana)
https://review.openstack.org/#/c/94625 (Icehouse)
https://review.openstack.org/#/c/89695 (Juno)

Credits¶

Jason Dunsmore from Rackspace (CVE-2014-3801)

References¶

this page last updated: 2024-10-03 16:29:15

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.