Launchpad.net

CVE 2014-3801

OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list.

Related bugs and status

CVE-2014-3801 (Candidate) is related to these bugs:

Bug #1311223: [OSSA 2014-016] User's provider templates show up in listing of resource types globally across tenants (CVE-2014-3801)

		In	Importance	Status
1311223	[OSSA 2014-016] User's provider templates show up in listing of resource types globally across tenants (CVE-2014-3801)	OpenStack Heat	Critical	Fix Released
1311223	[OSSA 2014-016] User's provider templates show up in listing of resource types globally across tenants (CVE-2014-3801)	OpenStack Security Advisory	Medium	Fix Released
1311223	[OSSA 2014-016] User's provider templates show up in listing of resource types globally across tenants (CVE-2014-3801)	OpenStack Heat havana	Critical	Fix Released
1311223	[OSSA 2014-016] User's provider templates show up in listing of resource types globally across tenants (CVE-2014-3801)	OpenStack Heat icehouse	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2014-3801

Related bugs and status

Related bugs

References