CVE-2013-1840
Glance: Backend credentials leak in Glance v1 API
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.
La API v1 en OpenStack Vistazo Essex (2012.1), Folsom (2012.2) y Grizzly, al utilizar el 'single-tenant Swift' o la tienda S3, informa el campo de ubicación, lo que permite obtener las credenciales del back-end del operador a usuarios remotos autenticados a través de una solicitud de una imagen almacenada en caché.
These packages provide a service that acts as a registry for virtual machine images. An information leak flaw was found in the way Glance handled certain image requests. If caching were enabled, an authenticated user could use this flaw to obtain Glance's OpenStack Swift or Amazon Simple Storage Service credentials.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-02-19 CVE Reserved
- 2013-03-15 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (13)
URL | Tag | Source |
---|---|---|
http://osvdb.org/91304 | Vdb Entry | |
http://www.openwall.com/lists/oss-security/2013/03/14/15 | Mailing List |
|
http://www.securityfocus.com/bid/58490 | Vdb Entry | |
https://bugs.launchpad.net/glance/+bug/1135541 | X_refsource_confirm | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/82878 | Vdb Entry | |
https://review.openstack.org/#/c/24437 | X_refsource_confirm | |
https://review.openstack.org/#/c/24438 | X_refsource_confirm | |
https://review.openstack.org/#/c/24439 | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2013-0707.html | 2017-08-29 | |
http://secunia.com/advisories/52565 | 2017-08-29 | |
http://www.ubuntu.com/usn/USN-1764-1 | 2017-08-29 | |
https://access.redhat.com/security/cve/CVE-2013-1840 | 2013-04-04 | |
https://bugzilla.redhat.com/show_bug.cgi?id=920393 | 2013-04-04 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |