Adds OSSA-2014-041

Change-Id: Idf8fc5be42dd1e446db0ee3e93d10b6245af90ef
Related-Bug: #1400966
This commit is contained in:
Tristan Cacqueray 2015-01-15 21:18:39 +00:00
parent 3ddd6ef25c
commit e451978576
1 changed files with 59 additions and 0 deletions

59
ossa/OSSA-2014-041.yaml Normal file
View File

@ -0,0 +1,59 @@
date: 2014-12-23
id: OSSA-2014-041
title: 'Glance v2 API unrestricted path traversal'
description: 'Masahito Muroi from NTT reported a vulnerability in Glance. By setting
a malicious image location an authenticated user can download or delete
any file on the Glance server for which the Glance process user has
access to. Only setups using the Glance V2 API are affected by this flaw.'
errata: 'When the original advisory was published a CVE number was not assigned.
CVE-2014-9493 can now be used to track this vulnerability.'
affected-products:
- product: glance
version: up to 2014.1.3 and 2014.2 version up to 2014.2.1
vulnerabilities:
- cve-id: CVE-2014-9493
reporters:
- name: 'Masahito Muroi'
affiliation: NTT
reported:
- CVE-2014-9493
issues:
links:
- https://launchpad.net/bugs/1400966
type: launchpad
reviews:
kilo:
- https://review.openstack.org/141706
juno:
- https://review.openstack.org/142373
icehouse:
- https://review.openstack.org/142788
type: gerrit
notes:
- 'This fix was included in the kilo-1 development milestone and will be included
in future 2014.2.2 (juno) and 2014.1.4 (icehouse) releases.'
- 'The OpenStack VMT recommends revoking all credentials stored in files
accessible by Glance as a precautionary measure.'
errata_history:
- 2015-01-05 - Errata 1
- 2014-12-23 - Original Version