MEDIUM

GHSA-q748-mcwg-xmqv

OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions

Details

OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / glance

Introduced in: 2011.2 Fixed in: 2014.2.4

Fix pip install --upgrade 'glance>=2014.2.4'

PyPI / glance

Introduced in: 2015.1.0 Fixed in: 2015.1.2

Fix pip install --upgrade 'glance>=2015.1.2'

References

https://nvd.nist.gov/vuln/detail/CVE-2015-5251 [ADVISORY]
https://access.redhat.com/errata/RHSA-2015:1897 [WEB]
https://access.redhat.com/security/cve/CVE-2015-5251 [WEB]
https://bugs.launchpad.net/bugs/1482371 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=1263511 [WEB]
https://opendev.org/openstack/glance [PACKAGE]
https://rhn.redhat.com/errata/RHSA-2015-1897.html [WEB]
https://security.openstack.org/ossa/OSSA-2015-019.html [WEB]