The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
access.redhat.com/errata/RHSA-2015:1862
access.redhat.com/security/cve/CVE-2015-5271
bugs.launchpad.net/tripleo/+bug/1494896
bugzilla.redhat.com/show_bug.cgi?id=1261697
git.openstack.org/cgit/openstack/tripleo-heat-templates
git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1730d95acdbee7c7bbcfe1eba8a48ef2b0cc1476
launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch
nvd.nist.gov/vuln/detail/CVE-2015-5271
review.openstack.org/226541