CVE-2014-3801
openstack-heat: authenticated information leak in Heat
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list.
OpenStack Orchestration API (Heat) 2013.2 hasta 2013.2.3 y 2014.1, cuando crea la pila para una plantilla que utiliza una plantilla de proveedor, permite a usuarios remotos autenticados obtener la URL de plantilla de proveedor a través de resource-type-list.
It was discovered that a user could temporarily be able to see the URL of a provider template used in another tenant. If the template itself could be accessed, then additional information could be leaked that would otherwise not be visible.
OpenStack Orchestration is a template-driven engine used to specify and deploy configurations for Compute, Storage, and OpenStack Networking. It can also be used to automate post-deployment actions, which in turn allows automated provisioning of infrastructure, services, and applications. Orchestration can also be integrated with Telemetry alarms to implement auto-scaling for certain infrastructure resources. It was discovered that a user could temporarily be able to see the URL of a provider template used in another tenant. If the template itself could be accessed, then additional information could be leaked that would otherwise not be visible.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-05-20 CVE Reserved
- 2014-05-23 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2014/05/20/1 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2014/05/20/6 | Mailing List |
|
| http://www.securityfocus.com/bid/67505 | Vdb Entry | |
| https://bugs.launchpad.net/heat/+bug/1311223 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-1687.html | 2017-12-29 | |
| http://www.ubuntu.com/usn/USN-2249-1 | 2017-12-29 | |
| https://access.redhat.com/security/cve/CVE-2014-3801 | 2014-10-22 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1099748 | 2014-10-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openstack Search vendor "Openstack" | Heat Search vendor "Openstack" for product "Heat" | 2013.2 Search vendor "Openstack" for product "Heat" and version "2013.2" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Heat Search vendor "Openstack" for product "Heat" | 2013.2.1 Search vendor "Openstack" for product "Heat" and version "2013.2.1" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Heat Search vendor "Openstack" for product "Heat" | 2013.2.2 Search vendor "Openstack" for product "Heat" and version "2013.2.2" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Heat Search vendor "Openstack" for product "Heat" | 2013.2.3 Search vendor "Openstack" for product "Heat" and version "2013.2.3" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Heat Search vendor "Openstack" for product "Heat" | 2014.1 Search vendor "Openstack" for product "Heat" and version "2014.1" | - |
Affected
| ||||||