CVE-2014-4615

NameCVE-2014-4615
DescriptionThe notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceilometer (PTS)jessie2014.1.3-6fixed
stretch1:7.0.1-5fixed
buster, sid1:10.0.0-5fixed
neutron (PTS)jessie2014.1.3-12fixed
stretch2:9.1.1-3fixed
buster, sid2:12.0.2-9fixed
python-pycadf (PTS)jessie0.5.1-1fixed
stretch2.4.0-1fixed
buster, sid2.7.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ceilometersource(unstable)2014.1.2-1medium
neutronsource(unstable)2014.1.2-1medium
python-pycadfsource(unstable)0.5.1-1medium

Notes

upstream patch: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0324965a0c2987e5cad6276f011682dec184205f (neutron)
Upstream patch: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=2b6454f9f4e0585949ab68a91ed405755438d76e (ceilometer)
Upstream patch: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=264f3b0d9640edeac743f339786e0a3b22c0f6c2 (ceilometer)
Upstream patch: https://git.openstack.org/cgit/openstack/pycadf/commit/?id=966d4410a1a69e0a3af678442a1a965dae80d720 (pycadf)

Search for package or bug name: Reporting problems