CVE-2014-9493
openstack-glance: unrestricted path traversal flaw
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.
La API V2 en OpenStack Image Registry and Delivery Service (Glance) anterior a 2014.2.2 y 2014.1.4 permite a usuarios remotos autenticados leer o eliminar ficheros a través de un nombre de ruta completo en un fichero: URL en la propiedad de la localización de imágenes.
It was discovered that an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-01-03 CVE Reserved
- 2015-01-07 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html | Third Party Advisory |
|
| http://www.securityfocus.com/bid/71688 | Third Party Advisory | |
| https://bugs.launchpad.net/glance/+bug/1400966 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.openstack.org/pipermail/openstack-announce/2014-December/000317.html | 2019-02-01 |
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2015-0246.html | 2019-02-01 | |
| https://security.openstack.org/ossa/OSSA-2014-041.html | 2019-02-01 | |
| https://access.redhat.com/security/cve/CVE-2014-9493 | 2015-02-19 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1174474 | 2015-02-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 4.0 Search vendor "Redhat" for product "Openstack" and version "4.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 5.0 Search vendor "Redhat" for product "Openstack" and version "5.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Image Registry And Delivery Service \(glance\) Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)" | >= 2014.1 < 2014.1.4 Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)" and version " >= 2014.1 < 2014.1.4" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Image Registry And Delivery Service \(glance\) Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)" | >= 2014.2 < 2014.2.2 Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)" and version " >= 2014.2 < 2014.2.2" | - |
Affected
| ||||||