Password Change Vulnerability in OpenStack Horizon API
CVE-2013-4471

Currently unrated

Key Information:

Vendor: Openstack
Status: Horizon
Vendor: CVE Published:; 14 May 2014

Summary

The Identity v3 API in OpenStack Dashboard (Horizon) prior to version 2013.2 allows authenticated users to change passwords without providing their current password. This deficiency can be exploited by remote attackers who have acquired the authentication token of a user, thereby enabling unauthorized password alterations and posing a significant risk to user account security.

References

http://lists.openstack.org/pipermail/openstack/2013-Novem...

mailing-listx_refsource_MLIST

https://bugs.launchpad.net/horizon/+bug/1237989

x_refsource_CONFIRM

Timeline

Vulnerability published
May 14, 2014
Vulnerability Reserved
Jun 12, 2013