CVSS: 6.0EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5251 – openstack-glance allows illegal modification of image status
https://notcve.org/view.php?id=CVE-2015-5251
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*. OpenStack Image Service (Glance) en versiones anteriores a 2014.2.4 (juno) y 2015.1.x en versiones anteriores 2015.1.2 (kilo) permiten a usuarios remotos autenticados cambiar el estado de sus imágenes y eludir las restricciones de acceso a través de la cabecera HTTP x-image-meta-status a images/*. A flaw was discovered in the OpenStack Image service (glance) where a tenant could manipulate the status of their images by submitting an HTTP PUT request together with an 'x-image-meta-status' header. A malicious tenant could exploit this flaw to reactivate disabled images, bypass storage quotas, and in some cases replace image contents (where they have owner access). Setups using the Image service's v1 API could allow the illegal modification of image status. • http://rhn.redhat.com/errata/RHSA-2015-1897.html https://bugs.launchpad.net/bugs/1482371 https://security.openstack.org/ossa/OSSA-2015-019.html https://access.redhat.com/security/cve/CVE-2015-5251 https://bugzilla.redhat.com/show_bug.cgi?id=1263511 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5163 – openstack-glance: Glance v2 API host file disclosure through qcow2 backing file
https://notcve.org/view.php?id=CVE-2015-5163
The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image. Vulnerabilidad en la acción de importar tareas en OpenStack Image Service (Glance) 2015.1.x en versiones anteriores a 2015.1.2 (kilo), cuando se usa la API V2, permite a usuarios remotos autenticados leer archivos arbitrarios a través de un archivo de respaldo manipulado para una imagen qcow2. A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw. • http://lists.openstack.org/pipermail/openstack-announce/2015-August/000527.html http://rhn.redhat.com/errata/RHSA-2015-1639.html http://www.securityfocus.com/bid/76346 https://bugs.launchpad.net/glance/+bug/1471912 https://access.redhat.com/security/cve/CVE-2015-5163 https://bugzilla.redhat.com/show_bug.cgi?id=1252378 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-454: External Initialization of Trusted Variables or Data Stores •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3289
https://notcve.org/view.php?id=CVE-2015-3289
OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them. Vulnerabilidad en OpenStack Glance en versiones anteriores a 2015.1.1 (kilo), permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) utilizando reiteradamente la API de importación de flujo de tareas para crear imágenes y borrarlas después. • http://lists.openstack.org/pipermail/openstack-announce/2015-July/000481.html http://www.securityfocus.com/bid/76068 https://bugs.launchpad.net/glance/+bug/1454087 • CWE-399: Resource Management Errors •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 1CVE-2014-9684 – openstack-glance: potential resource exhaustion and denial of service using images manipulation API
https://notcve.org/view.php?id=CVE-2014-9684
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881. OpenStack Image Registry and Delivery Service (Glance) 2014.2 hasta 2014.2.2 no elimina correctamente las imágenes, lo que permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) mediante la creación de un número grande de imágenes al utilizar una API v2 de tareas y posteriormente eliminándolas antes de que terminen las subidas, una vulnerabilidad diferente a CVE-2015-1881. Multiple flaws were found in the glance task API that could cause untracked image data to be left in the back end. A malicious user could use these flaws to deliberately accumulate untracked image data, and cause a denial of service via resource exhaustion. • http://lists.openstack.org/pipermail/openstack-announce/2015-February/000336.html http://rhn.redhat.com/errata/RHSA-2015-0938.html http://www.securityfocus.com/bid/72692 https://bugs.launchpad.net/glance/+bug/1371118 https://access.redhat.com/security/cve/CVE-2014-9684 https://bugzilla.redhat.com/show_bug.cgi?id=1194697 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 1CVE-2015-1881 – openstack-glance: potential resource exhaustion and denial of service using images manipulation API
https://notcve.org/view.php?id=CVE-2015-1881
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684. OpenStack Image Registry and Delivery Service (Glance) 2014.2 hasta 2014.2.2 no elimina correctamente las imágenes, lo que permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) mediante la creación de un número grande de imágenes al utilizar la API v2 de tareas y posteriormente eliminándolas, una vulnerabilidad diferente a CVE-2014-9684. Multiple flaws were found in the glance task API that could cause untracked image data to be left in the back end. A malicious user could use these flaws to deliberately accumulate untracked image data, and cause a denial of service via resource exhaustion. • http://lists.openstack.org/pipermail/openstack-announce/2015-February/000336.html http://rhn.redhat.com/errata/RHSA-2015-0938.html http://www.securityfocus.com/bid/72694 https://bugs.launchpad.net/glance/+bug/1420696 https://access.redhat.com/security/cve/CVE-2015-1881 https://bugzilla.redhat.com/show_bug.cgi?id=1194697 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •