Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2013-4471

The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.

Related bugs and status

CVE-2013-4471 (Candidate) is related to these bugs:

Bug #1237989: user can update his password without knowing the old password

		In	Importance	Status
1237989	user can update his password without knowing the old password	OpenStack Dashboard (Horizon)	Critical	Fix Released
1237989	user can update his password without knowing the old password	OpenStack Identity (keystone)	Critical	Fix Released
1237989	user can update his password without knowing the old password	OpenStack Security Notes	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://lists.openstack...
MISC: https://bugs.launchpad...