tripleo-heat-templates is susceptible to unauthenticated access to private data. The vulnerability is due to a flaw in the ordering of the staticweb middleware in the swiftproxy configuration pipeline generated from the tripleo-heat-templates package. The staticweb middleware should be put after authentication middlewares to ensure correct functionality. Attackers can use this flaw to bypass authentication for private data access.
access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/release-notes
access.redhat.com/errata/RHSA-2015:1862
access.redhat.com/security/cve/CVE-2015-5271
access.redhat.com/security/updates/classification/#moderate
bugs.launchpad.net/tripleo/+bug/1494896
bugzilla.redhat.com/show_bug.cgi?id=1223022
bugzilla.redhat.com/show_bug.cgi?id=1226376
bugzilla.redhat.com/show_bug.cgi?id=1228862
bugzilla.redhat.com/show_bug.cgi?id=1231777
bugzilla.redhat.com/show_bug.cgi?id=1233949
bugzilla.redhat.com/show_bug.cgi?id=1235320
bugzilla.redhat.com/show_bug.cgi?id=1235325
bugzilla.redhat.com/show_bug.cgi?id=1236136
bugzilla.redhat.com/show_bug.cgi?id=1236663
bugzilla.redhat.com/show_bug.cgi?id=1236707
bugzilla.redhat.com/show_bug.cgi?id=1237020
bugzilla.redhat.com/show_bug.cgi?id=1240260
bugzilla.redhat.com/show_bug.cgi?id=1241199
bugzilla.redhat.com/show_bug.cgi?id=1241668
bugzilla.redhat.com/show_bug.cgi?id=1243015
bugzilla.redhat.com/show_bug.cgi?id=1243032
bugzilla.redhat.com/show_bug.cgi?id=1243062
bugzilla.redhat.com/show_bug.cgi?id=1243121
bugzilla.redhat.com/show_bug.cgi?id=1243472
bugzilla.redhat.com/show_bug.cgi?id=1243601
bugzilla.redhat.com/show_bug.cgi?id=1243829
bugzilla.redhat.com/show_bug.cgi?id=1244001
bugzilla.redhat.com/show_bug.cgi?id=1244026
bugzilla.redhat.com/show_bug.cgi?id=1244032
bugzilla.redhat.com/show_bug.cgi?id=1244856
bugzilla.redhat.com/show_bug.cgi?id=1244864
bugzilla.redhat.com/show_bug.cgi?id=1245212
bugzilla.redhat.com/show_bug.cgi?id=1245714
bugzilla.redhat.com/show_bug.cgi?id=1246596
bugzilla.redhat.com/show_bug.cgi?id=1247015
bugzilla.redhat.com/show_bug.cgi?id=1247722
bugzilla.redhat.com/show_bug.cgi?id=1248172
bugzilla.redhat.com/show_bug.cgi?id=1249640
bugzilla.redhat.com/show_bug.cgi?id=1250249
bugzilla.redhat.com/show_bug.cgi?id=1250250
bugzilla.redhat.com/show_bug.cgi?id=1251566
bugzilla.redhat.com/show_bug.cgi?id=1252054
bugzilla.redhat.com/show_bug.cgi?id=1252219
bugzilla.redhat.com/show_bug.cgi?id=1252437
bugzilla.redhat.com/show_bug.cgi?id=1252509
bugzilla.redhat.com/show_bug.cgi?id=1252553
bugzilla.redhat.com/show_bug.cgi?id=1253465
bugzilla.redhat.com/show_bug.cgi?id=1253628
bugzilla.redhat.com/show_bug.cgi?id=1253777
bugzilla.redhat.com/show_bug.cgi?id=1254897
bugzilla.redhat.com/show_bug.cgi?id=1255910
bugzilla.redhat.com/show_bug.cgi?id=1255931
bugzilla.redhat.com/show_bug.cgi?id=1256477
bugzilla.redhat.com/show_bug.cgi?id=1257414
bugzilla.redhat.com/show_bug.cgi?id=1257642
bugzilla.redhat.com/show_bug.cgi?id=1259393
bugzilla.redhat.com/show_bug.cgi?id=1259905
bugzilla.redhat.com/show_bug.cgi?id=1260736
bugzilla.redhat.com/show_bug.cgi?id=1260991
bugzilla.redhat.com/show_bug.cgi?id=1261045
bugzilla.redhat.com/show_bug.cgi?id=1261048
bugzilla.redhat.com/show_bug.cgi?id=1261067
bugzilla.redhat.com/show_bug.cgi?id=1261697
bugzilla.redhat.com/show_bug.cgi?id=1261921
bugzilla.redhat.com/show_bug.cgi?id=1262059
bugzilla.redhat.com/show_bug.cgi?id=1262454
bugzilla.redhat.com/show_bug.cgi?id=1262995
bugzilla.redhat.com/show_bug.cgi?id=1265010
bugzilla.redhat.com/show_bug.cgi?id=1265777
bugzilla.redhat.com/show_bug.cgi?id=1266082
bugzilla.redhat.com/show_bug.cgi?id=1266253
bugzilla.redhat.com/show_bug.cgi?id=1266327
bugzilla.redhat.com/show_bug.cgi?id=1266911
bugzilla.redhat.com/show_bug.cgi?id=1267883
launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch
rhn.redhat.com/errata/RHSA-2015-1862.html