CVE-2014-4615

NameCVE-2014-4615
DescriptionThe notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceilometer (PTS)jessie2014.1.3-6fixed
stretch1:7.0.1-5fixed
buster1:11.0.1-5fixed
bullseye1:15.0.0-3fixed
bookworm1:19.0.0-3fixed
sid, trixie1:21.0.0-2fixed
neutron (PTS)jessie2014.1.3-12fixed
stretch (security), stretch (lts), stretch2:9.1.1-3+deb9u3fixed
buster, buster (security)2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1fixed
bullseye (security), bullseye2:17.2.1-0+deb11u1fixed
bookworm2:21.0.0-7fixed
sid, trixie2:23.0.0-2fixed
python-pycadf (PTS)jessie0.5.1-1fixed
stretch2.4.0-1fixed
buster2.7.0-2fixed
bullseye, bookworm3.1.1-2fixed
sid, trixie3.1.1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ceilometersource(unstable)2014.1.2-1
neutronsource(unstable)2014.1.2-1
python-pycadfsource(unstable)0.5.1-1

Notes

upstream patch: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0324965a0c2987e5cad6276f011682dec184205f (neutron)
Upstream patch: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=2b6454f9f4e0585949ab68a91ed405755438d76e (ceilometer)
Upstream patch: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=264f3b0d9640edeac743f339786e0a3b22c0f6c2 (ceilometer)
Upstream patch: https://git.openstack.org/cgit/openstack/pycadf/commit/?id=966d4410a1a69e0a3af678442a1a965dae80d720 (pycadf)

Search for package or bug name: Reporting problems