| Vulnerability Name: | CVE-2013-4471 (CCN-102904) | ||||||||
| Assigned: | 2013-10-11 | ||||||||
| Published: | 2013-10-11 | ||||||||
| Updated: | 2021-03-09 | ||||||||
| Summary: | The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user. | ||||||||
| CVSS v3 Severity: | 6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 5.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N) 4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-287 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: MITRE Type: CNA CVE-2013-4471 Source: MLIST Type: Vendor Advisory [Openstack] 20131122 [OSSG][OSSN] Authenticated users are able to update passwords without providing their current password Source: CCN Type: OpenStack Bug#1237989 user can update his password without knowing the old password Source: CONFIRM Type: Issue Tracking, Patch, Third Party Advisory https://bugs.launchpad.net/horizon/+bug/1237989 Source: XF Type: UNKNOWN openstack-cve20134471-sec-bypass(102904) Source: CCN Type: WhiteSource Vulnerability Database CVE-2013-4471 | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| Oval Definitions | |||||||||
| |||||||||
| BACK | |||||||||