CVE-2013-1840

Name of the Vulnerable Software and Affected Versions OpenStack Glance versions 2012.1 through 2012.2, Grizzly

Description The issue in OpenStack Glance allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image when using the single-tenant Swift or S3 store. This occurs because the v1 API reports the location field.

Recommendations For OpenStack Glance versions 2012.1 through 2012.2, consider restricting access to the v1 API until a fix is available. For OpenStack Glance Grizzly, avoid using the single-tenant Swift or S3 store with the v1 API until the issue is resolved. As a temporary workaround, consider disabling the use of the location field in the v1 API for cached images.