CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5286 – openstack-glance: Storage overrun by deleting images
https://notcve.org/view.php?id=CVE-2015-5286
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623. OpenStack Image Service (Glance) en versiones anteriores a 2014.2.4 (juno) y 2015.1.x en versiones anteriores a 2015.1.2 (kilo) permite a usuarios remotos autenticados eludir la cuota de almacenamiento y provocar una denegación de servicio (consumo de disco) borrando imágenes que han sido subidas utilizando un token que expira durante el proceso. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2014-9623. A race-condition flaw was discovered in the OpenStack Image service (glance). • http://rhn.redhat.com/errata/RHSA-2015-1897.html http://www.securityfocus.com/bid/76943 https://bugs.launchpad.net/bugs/1498163 https://security.openstack.org/ossa/OSSA-2015-020.html https://access.redhat.com/security/cve/CVE-2015-5286 https://bugzilla.redhat.com/show_bug.cgi?id=1267516 • CWE-264: Permissions, Privileges, and Access Controls CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5163 – openstack-glance: Glance v2 API host file disclosure through qcow2 backing file
https://notcve.org/view.php?id=CVE-2015-5163
The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image. Vulnerabilidad en la acción de importar tareas en OpenStack Image Service (Glance) 2015.1.x en versiones anteriores a 2015.1.2 (kilo), cuando se usa la API V2, permite a usuarios remotos autenticados leer archivos arbitrarios a través de un archivo de respaldo manipulado para una imagen qcow2. A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw. • http://lists.openstack.org/pipermail/openstack-announce/2015-August/000527.html http://rhn.redhat.com/errata/RHSA-2015-1639.html http://www.securityfocus.com/bid/76346 https://bugs.launchpad.net/glance/+bug/1471912 https://access.redhat.com/security/cve/CVE-2015-5163 https://bugzilla.redhat.com/show_bug.cgi?id=1252378 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-454: External Initialization of Trusted Variables or Data Stores •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3289
https://notcve.org/view.php?id=CVE-2015-3289
OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them. Vulnerabilidad en OpenStack Glance en versiones anteriores a 2015.1.1 (kilo), permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) utilizando reiteradamente la API de importación de flujo de tareas para crear imágenes y borrarlas después. • http://lists.openstack.org/pipermail/openstack-announce/2015-July/000481.html http://www.securityfocus.com/bid/76068 https://bugs.launchpad.net/glance/+bug/1454087 • CWE-399: Resource Management Errors •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 1CVE-2014-9684 – openstack-glance: potential resource exhaustion and denial of service using images manipulation API
https://notcve.org/view.php?id=CVE-2014-9684
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881. OpenStack Image Registry and Delivery Service (Glance) 2014.2 hasta 2014.2.2 no elimina correctamente las imágenes, lo que permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) mediante la creación de un número grande de imágenes al utilizar una API v2 de tareas y posteriormente eliminándolas antes de que terminen las subidas, una vulnerabilidad diferente a CVE-2015-1881. Multiple flaws were found in the glance task API that could cause untracked image data to be left in the back end. A malicious user could use these flaws to deliberately accumulate untracked image data, and cause a denial of service via resource exhaustion. • http://lists.openstack.org/pipermail/openstack-announce/2015-February/000336.html http://rhn.redhat.com/errata/RHSA-2015-0938.html http://www.securityfocus.com/bid/72692 https://bugs.launchpad.net/glance/+bug/1371118 https://access.redhat.com/security/cve/CVE-2014-9684 https://bugzilla.redhat.com/show_bug.cgi?id=1194697 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 1CVE-2015-1881 – openstack-glance: potential resource exhaustion and denial of service using images manipulation API
https://notcve.org/view.php?id=CVE-2015-1881
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684. OpenStack Image Registry and Delivery Service (Glance) 2014.2 hasta 2014.2.2 no elimina correctamente las imágenes, lo que permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) mediante la creación de un número grande de imágenes al utilizar la API v2 de tareas y posteriormente eliminándolas, una vulnerabilidad diferente a CVE-2014-9684. Multiple flaws were found in the glance task API that could cause untracked image data to be left in the back end. A malicious user could use these flaws to deliberately accumulate untracked image data, and cause a denial of service via resource exhaustion. • http://lists.openstack.org/pipermail/openstack-announce/2015-February/000336.html http://rhn.redhat.com/errata/RHSA-2015-0938.html http://www.securityfocus.com/bid/72694 https://bugs.launchpad.net/glance/+bug/1420696 https://access.redhat.com/security/cve/CVE-2015-1881 https://bugzilla.redhat.com/show_bug.cgi?id=1194697 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •