Jeremy Stanley of the OpenStack Project reports: Steven Hardy from Red Hat reported a vulnerability in the Heat ReST API. By changing the request path, an authenticated client may override their tenant scope resulting in privilege escalation. Only setups exposing the Heat orchestration ReST interface are affected.
Acknowledgements: Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Steven Hardy of Red Hat as the original reporter.
Created attachment 833716 [details] cve-2013-6428-master-icehouse.patch
Created attachment 833718 [details] cve-2013-6428-stable-havana.patch
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0090 https://rhn.redhat.com/errata/RHSA-2014-0090.html
Created openstack-heat tracking bugs for this issue: Affects: fedora-19 [bug 1112426]