openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #11263
[OSSA 2012-006] Horizon session fixation and reuse
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenStack Security Advisory: 2012-006
CVE: 2012-05-04
Date: Friday, May 4
Title: Horizon session fixation and reuse
Impact: Critical
Reporter: Thomas Biege, SUSE
Products: Horizon
Affects: All versions
Description:
Thomas Biege from SUSE reported a vulnerability in OpenStack Dashboard
(Horizon). Under specific circumstances it is possible to reuse
session cookies from another user, potentially allowing access to
unauthorized information and capabilities.
Fixes:
Folsom:
https://github.com/openstack/horizon/commit/041b1c44c7d6cf5429505067c32f8f35166a8bab
2012.1:
https://github.com/openstack/horizon/commit/abc532fa90eac1cc970423339347e318aa8d1b1a
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2144
https://bugs.launchpad.net/horizon/+bug/978896
Notes:
This fix will be included in the folsom-1 development milestone and in
a future 2012.1 (essex) release.
- --
Russell Bryant
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+kdO0ACgkQFg9ft4s9SAYLsgCgptN3zZrEpOCPsbbSfPiPz7J5
BegAoK2D0D1YHP08xt3iSdGQ7OKXuyLT
=CYxN
-----END PGP SIGNATURE-----