CVE-2013-4471

Description

The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.

How to fix CVE-2013-4471

To remediate CVE-2013-4471, upgrade the affected package to a fixed version below.

• Debian/horizon—upgrade to 2013.2-1 or later

Is CVE-2013-4471 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2013.2-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4471