Mike Fedosin

**Name of the Vulnerable Software and Affected Versions** OpenStack Image Service (Glance) versions prior to 2014.2.4 (juno) OpenStack Image Service (Glance) versions prior to 2015.1.2 (kilo) **Description** The issue allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. **Recommendations** For versions prior to 2014.2.4 (juno), update to version 2014.2.4 or later. For versions prior to 2015.1.2 (kilo), update to version 2015.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenStack Image Registry and Delivery Service (Glance) versions 2014.2 through 2014.2.2 **Description** The issue allows remote authenticated users to cause a denial of service, specifically disk consumption, by creating a large number of images using the task v2 API and then deleting them before the uploads finish. **Recommendations** For versions 2014.2 through 2014.2.2, consider restricting access to the task v2 API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.