CVE-2015-5271

The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.

Published: Apr 15, 2016
Updated: May 9, 2024
CVE: CVE-2015-5271
GHSA: GHSA-8936-44gw-7664
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
redhat / openstack	7.0	7.0.x
tripleo-heat-templates	-	0.8.7

https://access.redhat.com/errata/RHSA-2015:1862
https://access.redhat.com/security/cve/CVE-2015-5271
https://bugs.launchpad.net/tripleo/+bug/1494896
https://bugzilla.redhat.com/show_bug.cgi?id=1261697
https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1730d95acdbee7c7bbcfe1eba8a48ef2b0cc1476
https://launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch
https://review.openstack.org/226541

Vulnerability Database

289,599

CVE-2015-5271