Launchpad CVE tracker

CVE 2015-5295

The template-validate command in OpenStack Orchestration API (Heat) before 2015.1.3 (kilo) and 5.0.x before 5.0.1 (liberty) allows remote authenticated users to cause a denial of service (memory consumption) or determine the existence of local files via the resource type in a template, as demonstrated by file:///dev/zero.

Related bugs and status

CVE-2015-5295 (Candidate) is related to these bugs:

Bug #1496277: [OSSA 2016-003] template-validate may read server local files (CVE-2015-5295)

		In	Importance	Status
1496277	[OSSA 2016-003] template-validate may read server local files (CVE-2015-5295)	OpenStack Heat	High	Fix Released
1496277	[OSSA 2016-003] template-validate may read server local files (CVE-2015-5295)	OpenStack Security Advisory	Critical	Fix Released
1496277	[OSSA 2016-003] template-validate may read server local files (CVE-2015-5295)	OpenStack Heat kilo	Undecided	Fix Released

Bug #1533729: Heat denial of service through template-validate

		In	Importance	Status
1533729	Heat denial of service through template-validate	Mirantis OpenStack	High	Fix Released
1533729	Heat denial of service through template-validate	Mirantis OpenStack 8.0.x	High	Fix Released
1533729	Heat denial of service through template-validate	Mirantis OpenStack 7.0.x	High	Fix Released
1533729	Heat denial of service through template-validate	Mirantis OpenStack 6.1.x	High	Fix Released
1533729	Heat denial of service through template-validate	Mirantis OpenStack 5.0.x	High	Won't Fix
1533729	Heat denial of service through template-validate	Mirantis OpenStack 6.0.x	High	Fix Released
1533729	Heat denial of service through template-validate	Mirantis OpenStack 5.1.x	High	Fix Committed

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2015-5295

References