MEDIUM

GHSA-gvjg-r9fv-7qx9

OpenStack Image Service (Glance) allows remote authenticated users to bypass storage quota, cause denial of service

Details

OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / glance

Introduced in: 0 Fixed in: 2014.2.4

Fix pip install --upgrade 'glance>=2014.2.4'

PyPI / glance

Introduced in: 2015.1.0 Fixed in: 2015.1.2

Fix pip install --upgrade 'glance>=2015.1.2'

References

https://nvd.nist.gov/vuln/detail/CVE-2015-5286 [ADVISORY]
https://access.redhat.com/errata/RHSA-2015:1897 [WEB]
https://access.redhat.com/security/cve/CVE-2015-5286 [WEB]
https://bugs.launchpad.net/bugs/1498163 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=1267516 [WEB]
https://opendev.org/openstack/glance [PACKAGE]
https://rhn.redhat.com/errata/RHSA-2015-1897.html [WEB]
https://security.openstack.org/ossa/OSSA-2015-020.html [WEB]
https://web.archive.org/web/20200228024859/http://www.securityfocus.com/bid/76943 [WEB]