CVE-2013-4471
Published: 14 May 2014
The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.
Notes
Author | Note |
---|---|
jdstrand | v3 api introduced in grizzly (Ubuntu 13.04) upstream is not issuing a patch for grizzly (13.04) but instead providing only an OSSN (not issued yet) to for people to change the configuration defaults in keystone horizon on Ubuntu 13.04 explictly uses the keystoneclient v2 API and is therefore not affected |
Priority
Status
Package | Release | Status |
---|---|---|
horizon Launchpad, Ubuntu, Debian |
upstream |
Released
(2013.2)
|
lucid |
Does not exist
|
|
precise |
Not vulnerable
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
saucy |
Not vulnerable
(1:2013.2-0ubuntu1)
|
|
trusty |
Not vulnerable
|
|
Patches: upstream: https://review.openstack.org/#/c/51157/ |