Candidate: CVE-2013-4471
PublicDate: 2014-05-14 19:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4471
 https://bugs.launchpad.net/horizon/+bug/1237989
 https://review.openstack.org/#/c/50962/
Description:
 The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not
 require the current password when changing passwords for user accounts,
 which makes it easier for remote attackers to change a user password by
 leveraging the authentication token for that user.
Ubuntu-Description:
Notes:
 jdstrand> v3 api introduced in grizzly (Ubuntu 13.04)
 jdstrand> upstream is not issuing a patch for grizzly (13.04) but instead
  providing only an OSSN (not issued yet) to for people to change the
  configuration defaults in keystone
 jdstrand> horizon on Ubuntu 13.04 explictly uses the keystoneclient v2 API
  and is therefore not affected
Bugs:
 https://bugs.launchpad.net/horizon/+bug/1237989
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_horizon:
 upstream: https://review.openstack.org/#/c/51157/
upstream_horizon: released (2013.2)
lucid_horizon: DNE
precise_horizon: not-affected
quantal_horizon: not-affected
raring_horizon: not-affected
saucy_horizon: not-affected (1:2013.2-0ubuntu1)
devel_horizon: not-affected