The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.
References
Link | Resource |
---|---|
http://lists.openstack.org/pipermail/openstack/2013-November/003299.html | Vendor Advisory |
https://bugs.launchpad.net/horizon/+bug/1237989 | Issue Tracking Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2014-05-14T19:00:00
Updated: 2014-05-14T18:57:01
Reserved: 2013-06-12T00:00:00
Link: CVE-2013-4471
JSON object: View
NVD Information
Status : Analyzed
Published: 2014-05-14T19:55:10.277
Modified: 2021-03-09T14:43:16.633
Link: CVE-2013-4471
JSON object: View
Redhat Information
No data.
CWE