7 results (0.007 seconds)

CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1

The nlpweb/glance repository through 2014-06-27 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio nlpweb/glance versiones hasta 27-06-2014 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0

An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service. Un problema SSRF ha sido descubierto en OpenStack Glance en versiones anteriores a Newton. • http://www.securityfocus.com/bid/96988 https://bugs.launchpad.net/ossn/+bug/1153614 https://bugs.launchpad.net/ossn/+bug/1606495 https://wiki.openstack.org/wiki/OSSN/OSSN-0078 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0

OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them. Vulnerabilidad en OpenStack Glance en versiones anteriores a 2015.1.1 (kilo), permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) utilizando reiteradamente la API de importación de flujo de tareas para crear imágenes y borrarlas después. • http://lists.openstack.org/pipermail/openstack-announce/2015-July/000481.html http://www.securityfocus.com/bid/76068 https://bugs.launchpad.net/glance/+bug/1454087 • CWE-399: Resource Management Errors •

CVSS: 4.0EPSS: 0%CPEs: 10EXPL: 0

OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4, 2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does not properly enforce the image_size_cap configuration option, which allows remote authenticated users to cause a denial of service (disk consumption) by uploading a large image. OpenStack Image Registry and Delivery Service (Glance) anterior a 2013.2.4, 2014.x anterior a 2014.1.3, y Juno anterior a Juno-3, cuando utiliza la API V2, no aplica debidamente la opción de configuración image_size_cap, lo que permite a usuarios remotos autenticados causar una denegación de servicio (el consumo del disco) mediante la subida de un imagen grande. It was discovered that the image_size_cap configuration option in glance was not honored. An authenticated user could use this flaw to upload an image to glance and consume all available storage space, resulting in a denial of service. • http://rhn.redhat.com/errata/RHSA-2014-1337.html http://rhn.redhat.com/errata/RHSA-2014-1338.html http://rhn.redhat.com/errata/RHSA-2014-1685.html http://secunia.com/advisories/60743 http://www.openwall.com/lists/oss-security/2014/08/21/6 http://www.ubuntu.com/usn/USN-2322-1 https://bugs.launchpad.net/glance/+bug/1315321 https://access.redhat.com/security/cve/CVE-2014-5356 https://bugzilla.redhat.com/show_bug.cgi?id=1131770 • CWE-264: Permissions, Privileges, and Access Controls CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0

The Sheepdog backend in OpenStack Image Registry and Delivery Service (Glance) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote authenticated users with permission to insert or modify an image to execute arbitrary commands via a crafted location. El backend Sheepdog en OpenStack Image Registry and Delivery Service (Glance) 2013.2 anterior a 2013.2.4 y icehouse anterior a icehouse-rc2 permite a usuarios remotos autenticados con permiso insertar o modificar un imagen para ejecutar comandos arbitrarios a través de una localización manipulada. • http://rhn.redhat.com/errata/RHSA-2014-0455.html http://www.openwall.com/lists/oss-security/2014/04/10/13 http://www.ubuntu.com/usn/USN-2193-1 https://launchpad.net/bugs/1298698 https://access.redhat.com/security/cve/CVE-2014-0162 https://bugzilla.redhat.com/show_bug.cgi?id=1085163 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •