Sara Perez Merino of SensePost reports: In the file logs/views.py the logs() call fails to sanitize the path taken when displaying a file requested by a remote client, allowing any readable file on the system to be viewed.
Acknowledgements: Red Hat would like to thank Sara Perez Merino of SensePost for reporting this issue.
*** Bug 1193491 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2015:0645 https://rhn.redhat.com/errata/RHSA-2015-0645.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2015:0841 https://rhn.redhat.com/errata/RHSA-2015-0841.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2015:0840 https://rhn.redhat.com/errata/RHSA-2015-0840.html