CVE-2013-6426

OpenStack Heat < 2013.2 - Unauthenticated Stack Creation and Update via CloudFormation API

Title source: llm
STIX 2.1

Description

The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method.

References (5)

Core 5
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0090.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/89658
Exploit, Patch x_refsource_confirm
https://bugs.launchpad.net/heat/+bug/1256049
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/12/11/9
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/64243

Scores

EPSS 0.0033
EPSS Percentile 56.0%

Details

CWE
CWE-264
Status published
Products (1)
openstack/heat < 2013.2
Published Dec 14, 2013
Tracked Since Feb 18, 2026