// For flags

CVE-2014-9684

openstack-glance: potential resource exhaustion and denial of service using images manipulation API

Severity Score

4.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.

OpenStack Image Registry and Delivery Service (Glance) 2014.2 hasta 2014.2.2 no elimina correctamente las imágenes, lo que permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) mediante la creación de un número grande de imágenes al utilizar una API v2 de tareas y posteriormente eliminándolas antes de que terminen las subidas, una vulnerabilidad diferente a CVE-2015-1881.

Multiple flaws were found in the glance task API that could cause untracked image data to be left in the back end. A malicious user could use these flaws to deliberately accumulate untracked image data, and cause a denial of service via resource exhaustion.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
None
Availability
Partial
Attack Vector
Adjacent
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-02-19 CVE Reserved
  • 2015-02-24 CVE Published
  • 2023-03-07 EPSS Updated
  • 2024-08-06 CVE Updated
  • 2024-08-06 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-399: Resource Management Errors
  • CWE-400: Uncontrolled Resource Consumption
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openstack
Search vendor "Openstack"
Image Registry And Delivery Service \(glance\)
Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)"
2014.2
Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)" and version "2014.2"
-
Affected
Openstack
Search vendor "Openstack"
Image Registry And Delivery Service \(glance\)
Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)"
2014.2.1
Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)" and version "2014.2.1"
-
Affected
Openstack
Search vendor "Openstack"
Image Registry And Delivery Service \(glance\)
Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)"
2014.2.2
Search vendor "Openstack" for product "Image Registry And Delivery Service \(glance\)" and version "2014.2.2"
-
Affected