CVE-2013-4471 — Improper Authentication in Horizon

CWE-287 — Improper Authentication7 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.2%

top 60.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Horizon

Timeline

PublishedMay 14

Latest updateMay 13

Description

The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 8.0 | Impact: 4.9

Affected Packages1 packages

▶NVDopenstack/horizon2013.1 — 2013.2

Patches

Patch: bugs.launchpad.net ↗Patch: bugs.launchpad.net ↗

🔴Vulnerability Details

GHSA

GHSA-3hqv-63pg-94p2: The Identity v3 API in OpenStack Dashboard (Horizon) before 2013↗2022-05-13

▶

OSV

CVE-2013-4471: The Identity v3 API in OpenStack Dashboard (Horizon) before 2013↗2014-05-14

▶

CVEList

CVE-2013-4471: The Identity v3 API in OpenStack Dashboard (Horizon) before 2013↗2014-05-14

▶

📋Vendor Advisories

Red Hat

OpenStack: python-django-horizonpassword reset vulnerability↗2013-10-08

▶

Debian

CVE-2013-4471: horizon - The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not requ...↗2013

▶

💬Community

Bugzilla

CVE-2013-4471 OpenStack: python-django-horizonpassword reset vulnerability↗2013-10-25

▶