Jason Dunsmore

**Name of the Vulnerable Software and Affected Versions** OpenStack Orchestration API (Heat) versions 2013.2 through 2013.2.3 OpenStack Orchestration API (Heat) version 2014.1 **Description** The issue allows remote authenticated users to obtain the provider template URL via the `resource-type-list`. This can occur when creating the stack for a template using a provider template. **Recommendations** For OpenStack Orchestration API (Heat) versions 2013.2 through 2013.2.3, update to a version that includes the fix for this issue. For OpenStack Orchestration API (Heat) version 2014.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the `resource-type-list` to minimize the risk of exploitation.