Jeremy Stanley of the OpenStack Project reports: Steven Hardy from Red Hat reported a vulnerability in Heat's default API policy enforcement. By calling the CreateStack or UpdateStack methods, an in-instance user may be able to create or update a stack in violation of the default policy. Only setups using Heat's cloudformation-compatible API are affected.
Acknowledgements: Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Steven Hardy of Red Hat as the original reporter.
Created attachment 833715 [details] cve-2013-6426-master-icehouse.patch
Created attachment 833717 [details] cve-2013-6426-stable-havana.patch
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0090 https://rhn.redhat.com/errata/RHSA-2014-0090.html
Created openstack-heat tracking bugs for this issue: Affects: fedora-19 [bug 1112428]