CVE-2013-6428 — Heat vulnerability

CWE-2648 documents7 sources

Severity

4.0MEDIUMNVD

EPSS

0.2%

top 61.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Heat

Timeline

PublishedDec 14

Latest updateMay 17

Description

The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenant_id in the request path.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

▶Debianopenstack/heat< 2013.2.1-1+3

▶NVDopenstack/heat2013.2

Patches

Patch: launchpad.net ↗Patch: launchpad.net ↗

🔴Vulnerability Details

GHSA

GHSA-xrx4-52w3-mpjx: The ReST API in OpenStack Orchestration API (Heat) before Havana 2013↗2022-05-17

▶

OSV

CVE-2013-6428: The ReST API in OpenStack Orchestration API (Heat) before Havana 2013↗2013-12-14

▶

CVEList

CVE-2013-6428: The ReST API in OpenStack Orchestration API (Heat) before Havana 2013↗2013-12-14

▶

📋Vendor Advisories

Red Hat

Heat: ReST API doesn't respect tenant scoping↗2013-12-11

▶

Debian

CVE-2013-6428: heat - The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Ic...↗2013

▶

💬Community

Bugzilla

CVE-2013-6428 openstack-heat: OpenStack Heat: ReST API doesn't respect tenant scoping [fedora-19]↗2014-06-23

▶

Bugzilla

CVE-2013-6428 OpenStack Heat: ReST API doesn't respect tenant scoping↗2013-12-06

▶