CVE-2013-6426 — Heat vulnerability

CWE-2648 documents7 sources

Severity

4.0MEDIUMNVD

EPSS

0.3%

top 44.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Heat

Timeline

PublishedDec 14

Latest updateMay 17

Description

The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

▶Debianopenstack/heat< 2013.2.1-1+3

▶NVDopenstack/heat2013.2

Patches

Patch: bugs.launchpad.net ↗Patch: bugs.launchpad.net ↗

🔴Vulnerability Details

GHSA

GHSA-3m5x-89wr-x574: The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013↗2022-05-17

▶

CVEList

CVE-2013-6426: The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013↗2013-12-14

▶

OSV

CVE-2013-6426: The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013↗2013-12-14

▶

📋Vendor Advisories

Red Hat

Heat: CFN policy rules not all enforced↗2013-12-11

▶

Debian

CVE-2013-6426: heat - The cloudformation-compatible API in OpenStack Orchestration API (Heat) before H...↗2013

▶

💬Community

Bugzilla

CVE-2013-6426 openstack-heat: OpenStack Heat: CFN policy rules not all enforced [fedora-19]↗2014-06-23

▶

Bugzilla

CVE-2013-6426 OpenStack Heat: CFN policy rules not all enforced↗2013-12-06

▶