CVE-2014-3801

Openstack Heat < 5.0.0a0 - Information Disclosure

Title source: rule

Description

OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list.

References (6)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-1687.html

[Vendor Advisory] http://www.ubuntu.com/usn/USN-2249-1

[Issue Tracking] https://bugs.launchpad.net/heat/+bug/1311223

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/67505

[Mailing List] http://www.openwall.com/lists/oss-security/2014/05/20/1

[Mailing List] http://www.openwall.com/lists/oss-security/2014/05/20/6

Scores

EPSS 0.0043

EPSS Percentile 62.1%

Classification

CWE

CWE-200

Status draft

Affected Products (6)

openstack/heat

pypi/openstack-heat < 5.0.0a0PyPI

Timeline

Published May 23, 2014

Tracked Since Feb 18, 2026