OpenStack Security Advisory: 2013-035 CVE: CVE-2013-6428 Date: December 11, 2013 Title: Heat ReST API doesn't respect tenant scoping Reporter: Steven Hardy (Red Hat) Products: Heat Affects: All supported releases Description: Steven Hardy from Red Hat reported a vulnerability in the Heat ReST API. By changing the request path, an authenticated client may override their tenant scope resulting in privilege escalation. Only setups exposing the Heat orchestration ReST interface are affected. Icehouse (development branch) fix: https://review.openstack.org/61455 Havana fix: https://review.openstack.org/61456 Notes: This fix will be included in the icehouse-2 development milestone and in a future 2013.2.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6428 https://launchpad.net/bugs/1256983 -- Jeremy Stanley OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 966 bytes Desc: Digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20131211/10377331/attachment.pgp>