Masahito Muroi

**Name of the Vulnerable Software and Affected Versions** OpenStack Image Registry and Delivery Service (Glance) versions prior to 2014.2.2 OpenStack Image Registry and Delivery Service (Glance) version 2014.1.4 **Description** The issue allows remote authenticated users to read or delete arbitrary files via a full pathname in a `file:` URL in the `image location` property. This is related to the V2 API in OpenStack Image Registry and Delivery Service (Glance). **Recommendations** For versions prior to 2014.2.2, update to version 2014.2.2 or later. For version 2014.1.4, update to a later version. As a temporary workaround, consider restricting access to the V2 API until a patch is available.