CVE-2013-4471

Published: May 14, 2014Modified: May 6, 2026

5.5

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Exploitability: 8.0 / Impact: 4.9

Source: NVD

Description

The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.

Affected (1)

Products: Openstack: Horizon

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Openstack Horizon	From 2013.1 to 2013.2

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (4)

http://lists.openstack.org/pipermail/openstack/2013-November/003299.html

Source: secalert@redhat.com

Vendor Advisory

https://bugs.launchpad.net/horizon/+bug/1237989

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

http://lists.openstack.org/pipermail/openstack/2013-November/003299.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugs.launchpad.net/horizon/+bug/1237989

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

Timeline

No history available yet.