oss-sec mailing list archives
[OSSA 2016-013] Network information disclosure through Heat template source URL (CVE-2016-9185)
From: Tristan Cacqueray <tdecacqu () redhat com>
Date: Fri, 18 Nov 2016 14:01:05 +0000
============================================================================== OSSA-2016-013: Network information disclosure through Heat template source URL ============================================================================== :Date: November 18, 2016 :CVE: CVE-2016-9185 Affects ~~~~~~~ - Heat: <=5.0.3, >=6.0.0 <=6.1.0 and ==7.0.0 Description ~~~~~~~~~~~ Tom Patzig from SAP reported a vulnerability in Heat. By launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. All Heat setup are affected. Patches ~~~~~~~ - https://review.openstack.org/393149 (Liberty) - https://review.openstack.org/393148 (Mitaka) - https://review.openstack.org/393147 (Newton) - https://review.openstack.org/393146 (Ocata) Credits ~~~~~~~ - Tom Patzig from SAP (CVE-2015-9185) References ~~~~~~~~~~ - https://launchpad.net/bugs/1606500 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9185 -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [OSSA 2016-013] Network information disclosure through Heat template source URL (CVE-2016-9185) Tristan Cacqueray (Nov 18)