Adds OSSA-2014-041
Change-Id: Idf8fc5be42dd1e446db0ee3e93d10b6245af90ef Related-Bug: #1400966
This commit is contained in:
parent
3ddd6ef25c
commit
e451978576
|
@ -0,0 +1,59 @@
|
|||
date: 2014-12-23
|
||||
|
||||
id: OSSA-2014-041
|
||||
|
||||
title: 'Glance v2 API unrestricted path traversal'
|
||||
|
||||
description: 'Masahito Muroi from NTT reported a vulnerability in Glance. By setting
|
||||
a malicious image location an authenticated user can download or delete
|
||||
any file on the Glance server for which the Glance process user has
|
||||
access to. Only setups using the Glance V2 API are affected by this flaw.'
|
||||
|
||||
errata: 'When the original advisory was published a CVE number was not assigned.
|
||||
CVE-2014-9493 can now be used to track this vulnerability.'
|
||||
|
||||
affected-products:
|
||||
|
||||
- product: glance
|
||||
version: up to 2014.1.3 and 2014.2 version up to 2014.2.1
|
||||
|
||||
vulnerabilities:
|
||||
|
||||
- cve-id: CVE-2014-9493
|
||||
|
||||
reporters:
|
||||
|
||||
- name: 'Masahito Muroi'
|
||||
affiliation: NTT
|
||||
reported:
|
||||
- CVE-2014-9493
|
||||
|
||||
issues:
|
||||
|
||||
links:
|
||||
- https://launchpad.net/bugs/1400966
|
||||
|
||||
type: launchpad
|
||||
|
||||
reviews:
|
||||
|
||||
kilo:
|
||||
- https://review.openstack.org/141706
|
||||
|
||||
juno:
|
||||
- https://review.openstack.org/142373
|
||||
|
||||
icehouse:
|
||||
- https://review.openstack.org/142788
|
||||
|
||||
type: gerrit
|
||||
|
||||
notes:
|
||||
- 'This fix was included in the kilo-1 development milestone and will be included
|
||||
in future 2014.2.2 (juno) and 2014.1.4 (icehouse) releases.'
|
||||
- 'The OpenStack VMT recommends revoking all credentials stored in files
|
||||
accessible by Glance as a precautionary measure.'
|
||||
|
||||
errata_history:
|
||||
- 2015-01-05 - Errata 1
|
||||
- 2014-12-23 - Original Version
|
Loading…
Reference in New Issue