CVE-2013-6426

Openstack Heat < 2013.2 - Access Control

Title source: rule

Description

The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method.

References (5)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-0090.html

[Exploit, Patch] https://bugs.launchpad.net/heat/+bug/1256049

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/89658

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/64243

[Mailing List] http://www.openwall.com/lists/oss-security/2013/12/11/9

Scores

EPSS 0.0033

EPSS Percentile 55.5%

Classification

CWE

CWE-264

Status draft

Affected Products (1)

openstack/heat < 2013.2

Timeline

Published Dec 14, 2013

Tracked Since Feb 18, 2026