CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
EPSS
Percentile
48.1%
The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not
require the current password when changing passwords for user accounts,
which makes it easier for remote attackers to change a user password by
leveraging the authentication token for that user.
Author | Note |
---|---|
jdstrand | v3 api introduced in grizzly (Ubuntu 13.04) upstream is not issuing a patch for grizzly (13.04) but instead providing only an OSSN (not issued yet) to for people to change the configuration defaults in keystone horizon on Ubuntu 13.04 explictly uses the keystoneclient v2 API and is therefore not affected |