Vulnerability Description
The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Heat | <= 2013.2 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2014-0090.html
- http://www.openwall.com/lists/oss-security/2013/12/11/9
- http://www.securityfocus.com/bid/64243
- https://bugs.launchpad.net/heat/+bug/1256049ExploitPatch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89658
- http://rhn.redhat.com/errata/RHSA-2014-0090.html
- http://www.openwall.com/lists/oss-security/2013/12/11/9
- http://www.securityfocus.com/bid/64243
- https://bugs.launchpad.net/heat/+bug/1256049ExploitPatch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89658
FAQ
What is CVE-2013-6426?
CVE-2013-6426 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance use...
How severe is CVE-2013-6426?
CVE-2013-6426 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-6426?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Heat.