CVE-2013-6428

Openstack Heat < 2013.2 - Access Control

Title source: rule

Description

The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenant_id in the request path.

References (3)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-0090.html

[Mailing List] http://seclists.org/oss-sec/2013/q4/479

[Exploit, Patch] https://launchpad.net/bugs/1256983

Scores

EPSS 0.0017

EPSS Percentile 38.1%

Classification

CWE

CWE-264

Status draft

Affected Products (1)

openstack/heat < 2013.2

Timeline

Published Dec 14, 2013

Tracked Since Feb 18, 2026