CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5163 – openstack-glance: Glance v2 API host file disclosure through qcow2 backing file
https://notcve.org/view.php?id=CVE-2015-5163
The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image. Vulnerabilidad en la acción de importar tareas en OpenStack Image Service (Glance) 2015.1.x en versiones anteriores a 2015.1.2 (kilo), cuando se usa la API V2, permite a usuarios remotos autenticados leer archivos arbitrarios a través de un archivo de respaldo manipulado para una imagen qcow2. A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw. • http://lists.openstack.org/pipermail/openstack-announce/2015-August/000527.html http://rhn.redhat.com/errata/RHSA-2015-1639.html http://www.securityfocus.com/bid/76346 https://bugs.launchpad.net/glance/+bug/1471912 https://access.redhat.com/security/cve/CVE-2015-5163 https://bugzilla.redhat.com/show_bug.cgi?id=1252378 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-454: External Initialization of Trusted Variables or Data Stores •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3289
https://notcve.org/view.php?id=CVE-2015-3289
OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them. Vulnerabilidad en OpenStack Glance en versiones anteriores a 2015.1.1 (kilo), permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) utilizando reiteradamente la API de importación de flujo de tareas para crear imágenes y borrarlas después. • http://lists.openstack.org/pipermail/openstack-announce/2015-July/000481.html http://www.securityfocus.com/bid/76068 https://bugs.launchpad.net/glance/+bug/1454087 • CWE-399: Resource Management Errors •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 2CVE-2013-4428 – Glance: image_download policy not enforced for cached images
https://notcve.org/view.php?id=CVE-2013-4428
OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID. OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly con versiones anteriores a 2013.1.4, y Havana con versiones anteriores a 2013.2, cuando se configura la política image_download, no restringe adecuadamente el acceso a las imágenes almacenadas en caché, lo que permite a usuarios remotos autenticados leer de otra manera imágenes restringidas a través de un imagen UUID. • http://rhn.redhat.com/errata/RHSA-2013-1525.html http://www.openwall.com/lists/oss-security/2013/10/15/8 http://www.openwall.com/lists/oss-security/2013/10/16/9 http://www.securityfocus.com/bid/63159 http://www.ubuntu.com/usn/USN-2003-1 https://bugs.launchpad.net/glance/+bug/1235226 https://bugs.launchpad.net/glance/+bug/1235378 https://launchpad.net/glance/+milestone/2013.1.4 https://launchpad.net/glance/+milestone/2013.2 https://access.redhat&# • CWE-264: Permissions, Privileges, and Access Controls •