CVE-2015-5271: TripleO Heat templates might allow remote attackers to obtain sensitive information from private containers
(updated )
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
References
- access.redhat.com/errata/RHSA-2015:1862
- access.redhat.com/security/cve/CVE-2015-5271
- bugs.launchpad.net/tripleo/+bug/1494896
- bugzilla.redhat.com/show_bug.cgi?id=1261697
- git.openstack.org/cgit/openstack/tripleo-heat-templates
- git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1730d95acdbee7c7bbcfe1eba8a48ef2b0cc1476
- github.com/advisories/GHSA-8936-44gw-7664
- github.com/pypa/advisory-database/tree/main/vulns/tripleo-heat-templates/PYSEC-2016-34.yaml
- launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch
- nvd.nist.gov/vuln/detail/CVE-2015-5271
- review.openstack.org/226541
Code Behaviors & Features
Detect and mitigate CVE-2015-5271 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →