OpenStack Image Service (Glance) allows remote authenticated users to read arbitrary file

GHSA-q73f-vjc2-3gqf · CVE-2015-5163 · PYSEC-2015-39

Published May 17, 2022 · Modified Nov 26, 2024

Description

The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-5163
WEB https://github.com/openstack/glance/commit/eb99e45829a1b4c93db5692bdbf636a86faa56c4
WEB https://access.redhat.com/errata/RHSA-2015:1639
WEB https://access.redhat.com/security/cve/CVE-2015-5163
WEB https://bugs.launchpad.net/glance/+bug/1471912
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1252378
PACKAGE https://github.com/openstack/glance
WEB https://github.com/pypa/advisory-database/tree/main/vulns/glance/PYSEC-2015-39.yaml
WEB https://web.archive.org/web/20200228024903/http://www.securityfocus.com/bid/76346
WEB http://lists.openstack.org/pipermail/openstack-announce/2015-August/000527.html
WEB http://rhn.redhat.com/errata/RHSA-2015-1639.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes