oss-sec mailing list archives
CVE request for vulnerability in OpenStack Heat
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Tue, 20 May 2014 07:59:20 -0400
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Heat template URL information leakage Reporter: Jason Dunsmore (Rackspace) Products: Heat Versions: 2013.2 to 2013.2.3, and 2014.1 Description: Jason Dunsmore from Rackspace reported a vulnerability in Heat. An authenticated user may temporarily see the URL of a provider template used in another tenant by listing heat resources types. This may result in disclosure of additional information if the template itself can be accessed. The URL disappears from the listing after a certain point in the stack creation. All Heat setups are affected. References: https://launchpad.net/bugs/1311223 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for vulnerability in OpenStack Heat Tristan Cacqueray (May 20)
- Re: CVE request for vulnerability in OpenStack Heat cve-assign (May 20)