CVE-2014-3801

OpenStack Heat 2013.2-2013.2.3 and 2014.1 - Authenticated Provider Template URL Exposure via Resource-Type-List

Title source: llm
STIX 2.1

Description

OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list.

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/67505
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2249-1
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/05/20/1
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/05/20/6
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/heat/+bug/1311223
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1687.html

Scores

EPSS 0.0043
EPSS Percentile 62.6%

Details

CWE
CWE-200
Status published
Products (6)
openstack/heat 2013.2
openstack/heat 2013.2.1
openstack/heat 2013.2.2
openstack/heat 2013.2.3
openstack/heat 2014.1
pypi/openstack-heat 0 - 5.0.0a0PyPI
Published May 23, 2014
Tracked Since Feb 18, 2026