CVE-2014-3801 – openstack-heat: authenticated information leak in Heat

https://notcve.org/view.php?id=CVE-2014-3801

OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list. OpenStack Orchestration API (Heat) 2013.2 hasta 2013.2.3 y 2014.1, cuando crea la pila para una plantilla que utiliza una plantilla de proveedor, permite a usuarios remotos autenticados obtener la URL de plantilla de proveedor a través de resource-type-list. It was discovered that a user could temporarily be able to see the URL of a provider template used in another tenant. If the template itself could be accessed, then additional information could be leaked that would otherwise not be visible. • http://rhn.redhat.com/errata/RHSA-2014-1687.html http://www.openwall.com/lists/oss-security/2014/05/20/1 http://www.openwall.com/lists/oss-security/2014/05/20/6 http://www.securityfocus.com/bid/67505 http://www.ubuntu.com/usn/USN-2249-1 https://bugs.launchpad.net/heat/+bug/1311223 https://access.redhat.com/security/cve/CVE-2014-3801 https://bugzilla.redhat.com/show_bug.cgi?id=1099748 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •