OSSA-2013-034: Heat CFN policy rules not all enforced

OSSA-2013-034: Heat CFN policy rules not all enforced¶

Date:: December 11, 2013
CVE:: CVE-2013-6426

Affects¶

Heat: All supported releases

Description¶

Steven Hardy from Red Hat reported a vulnerability in Heat’s default API policy enforcement. By calling the CreateStack or UpdateStack methods, an in-instance user may be able to create or update a stack in violation of the default policy. Only setups using Heat’s cloudformation-compatible API are affected.

Patches¶

https://review.openstack.org/#/c/61454 (Havana)
https://review.openstack.org/#/c/61452 (Icehouse)

Credits¶

Steven Hardy from Red Hat (CVE-2013-6426)

References¶

this page last updated: 2024-10-03 16:29:15

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.