PT-2013-3424 · Openstack · Openstack Glance

Stuart Mclaren

Published

2013-03-22

Updated

2022-05-17

CVE-2013-1840

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenStack Glance versions 2012.1 through 2012.2, Grizzly

Description The issue in OpenStack Glance allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image when using the single-tenant Swift or S3 store. This occurs because the v1 API reports the location field.

Recommendations For OpenStack Glance versions 2012.1 through 2012.2, consider restricting access to the v1 API until a fix is available. For OpenStack Glance Grizzly, avoid using the single-tenant Swift or S3 store with the v1 API until the issue is resolved. As a temporary workaround, consider disabling the use of the location field in the v1 API for cached images.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2013-1840

GHSA-C8W9-83VG-R8VV

PYSEC-2013-46

RHSA-2013:0707

Affected Products

Openstack Glance

PT-2013-3424 · Openstack · Openstack Glance

CVE-2013-1840

Weakness Enumeration

Related Identifiers

Affected Products

References · 22