OSSA-2016-013: Network information disclosure through Heat template source URL

OSSA-2016-013: Network information disclosure through Heat template source URL¶

Date:: November 04, 2016
CVE:: CVE-2016-9185

Affects¶

Heat: <=5.0.3, >=6.0.0 <=6.1.0 and ==7.0.0

Description¶

Tom Patzig from SAP reported a vulnerability in Heat. By launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. All Heat setup are affected.

Patches¶

https://review.openstack.org/393149 (Liberty)
https://review.openstack.org/393148 (Mitaka)
https://review.openstack.org/393147 (Newton)
https://review.openstack.org/393146 (Ocata)

Credits¶

Tom Patzig from SAP (CVE-2015-9185)

References¶

this page last updated: 2024-10-03 16:29:15

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.