Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-5251 (GCVE-0-2015-5251)
Vulnerability from cvelistv5 – Published: 2015-10-26 17:00 – Updated: 2024-08-06 06:41
VLAI?
EPSS
Summary
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:08.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"name": "RHSA-2015:1897",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-10-26T16:57:02",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"name": "RHSA-2015:1897",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5251",
"datePublished": "2015-10-26T17:00:00",
"dateReserved": "2015-07-01T00:00:00",
"dateUpdated": "2024-08-06T06:41:08.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2014.2.3\", \"matchCriteriaId\": \"0964364D-BB85-4C6C-AC03-9C5654F31B11\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):2015.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C66E0C3C-F6B7-433D-9F93-531594C52D17\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):2015.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"897FC29D-7439-4BF2-8296-FB33712DCE43\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.\"}, {\"lang\": \"es\", \"value\": \"OpenStack Image Service (Glance) en versiones anteriores a 2014.2.4 (juno) y 2015.1.x en versiones anteriores 2015.1.2 (kilo) permiten a usuarios remotos autenticados cambiar el estado de sus im\\u00e1genes y eludir las restricciones de acceso a trav\\u00e9s de la cabecera HTTP x-image-meta-status a images/*.\"}]",
"id": "CVE-2015-5251",
"lastModified": "2024-11-21T02:32:38.873",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:P\", \"baseScore\": 5.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2015-10-26T17:59:06.813",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1897.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugs.launchpad.net/bugs/1482371\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://security.openstack.org/ossa/OSSA-2015-019.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1897.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugs.launchpad.net/bugs/1482371\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.openstack.org/ossa/OSSA-2015-019.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2015-5251\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-10-26T17:59:06.813\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.\"},{\"lang\":\"es\",\"value\":\"OpenStack Image Service (Glance) en versiones anteriores a 2014.2.4 (juno) y 2015.1.x en versiones anteriores 2015.1.2 (kilo) permiten a usuarios remotos autenticados cambiar el estado de sus im\u00e1genes y eludir las restricciones de acceso a trav\u00e9s de la cabecera HTTP x-image-meta-status a images/*.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:P\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2014.2.3\",\"matchCriteriaId\":\"0964364D-BB85-4C6C-AC03-9C5654F31B11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):2015.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C66E0C3C-F6B7-433D-9F93-531594C52D17\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):2015.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"897FC29D-7439-4BF2-8296-FB33712DCE43\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1897.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugs.launchpad.net/bugs/1482371\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.openstack.org/ossa/OSSA-2015-019.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1897.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugs.launchpad.net/bugs/1482371\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.openstack.org/ossa/OSSA-2015-019.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
CNVD-2015-07124
Vulnerability from cnvd - Published: 2015-10-30
VLAI Severity ?
Title
OpenStack Image Service访问限制绕过漏洞
Description
OpenStack是美国国家航空航天局(National Aeronautics and Space Administration)和美国Rackspace公司合作研发的一个云平台管理项目。Image Service(Glance)是其中的一个可存储、查询和检索虚拟机镜像的项目。
OpenStack Image Service(Glance) 2014.2.4(juno)之前版本和2015.1.2(kilo)之前2015.1.x版本中存在安全漏洞。远程攻击者可通过提交带有x-image-meta-status头的HTTP PUT请求更改图像状态,绕过访问限制。
Severity
中
Patch Name
OpenStack Image Service访问限制绕过漏洞的补丁
Patch Description
OpenStack是美国国家航空航天局(National Aeronautics and Space Administration)和美国Rackspace公司合作研发的一个云平台管理项目。Image Service(Glance)是其中的一个可存储、查询和检索虚拟机镜像的项目。
OpenStack Image Service(Glance) 2014.2.4(juno)之前版本和2015.1.2(kilo)之前2015.1.x版本中存在安全漏洞。远程攻击者可通过提交带有x-image-meta-status头的HTTP PUT请求更改图像状态,绕过访问限制。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接: https://security.openstack.org/ossa/OSSA-2015-019.html
Reference
https://bugs.launchpad.net/bugs/1482371
https://security.openstack.org/ossa/OSSA-2015-019.html
http://rhn.redhat.com/errata/RHSA-2015-1897.html
Impacted products
| Name | ['OpenStack Image Registry and Delivery Service (Glance) < 2014.2.4', 'OpenStack Image Registry and Delivery Service (Glance) 2015.1.x (< 2015.1.2)'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2015-5251"
}
},
"description": "OpenStack\u662f\u7f8e\u56fd\u56fd\u5bb6\u822a\u7a7a\u822a\u5929\u5c40\uff08National Aeronautics and Space Administration\uff09\u548c\u7f8e\u56fdRackspace\u516c\u53f8\u5408\u4f5c\u7814\u53d1\u7684\u4e00\u4e2a\u4e91\u5e73\u53f0\u7ba1\u7406\u9879\u76ee\u3002Image Service\uff08Glance\uff09\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u53ef\u5b58\u50a8\u3001\u67e5\u8be2\u548c\u68c0\u7d22\u865a\u62df\u673a\u955c\u50cf\u7684\u9879\u76ee\u3002\r\n\r\nOpenStack Image Service(Glance) 2014.2.4(juno)\u4e4b\u524d\u7248\u672c\u548c2015.1.2(kilo)\u4e4b\u524d2015.1.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u63d0\u4ea4\u5e26\u6709x-image-meta-status\u5934\u7684HTTP PUT\u8bf7\u6c42\u66f4\u6539\u56fe\u50cf\u72b6\u6001\uff0c\u7ed5\u8fc7\u8bbf\u95ee\u9650\u5236\u3002",
"discovererName": "Hemanth Makkapati",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://security.openstack.org/ossa/OSSA-2015-019.html",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2015-07124",
"openTime": "2015-10-30",
"patchDescription": "OpenStack\u662f\u7f8e\u56fd\u56fd\u5bb6\u822a\u7a7a\u822a\u5929\u5c40\uff08National Aeronautics and Space Administration\uff09\u548c\u7f8e\u56fdRackspace\u516c\u53f8\u5408\u4f5c\u7814\u53d1\u7684\u4e00\u4e2a\u4e91\u5e73\u53f0\u7ba1\u7406\u9879\u76ee\u3002Image Service\uff08Glance\uff09\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u53ef\u5b58\u50a8\u3001\u67e5\u8be2\u548c\u68c0\u7d22\u865a\u62df\u673a\u955c\u50cf\u7684\u9879\u76ee\u3002\r\nOpenStack Image Service(Glance) 2014.2.4(juno)\u4e4b\u524d\u7248\u672c\u548c2015.1.2(kilo)\u4e4b\u524d2015.1.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u63d0\u4ea4\u5e26\u6709x-image-meta-status\u5934\u7684HTTP PUT\u8bf7\u6c42\u66f4\u6539\u56fe\u50cf\u72b6\u6001\uff0c\u7ed5\u8fc7\u8bbf\u95ee\u9650\u5236\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "OpenStack Image Service\u8bbf\u95ee\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"OpenStack Image Registry and Delivery Service (Glance) \u003c 2014.2.4",
"OpenStack Image Registry and Delivery Service (Glance) 2015.1.x (\u003c 2015.1.2)"
]
},
"referenceLink": "https://bugs.launchpad.net/bugs/1482371\r\nhttps://security.openstack.org/ossa/OSSA-2015-019.html\r\nhttp://rhn.redhat.com/errata/RHSA-2015-1897.html",
"serverity": "\u4e2d",
"submitTime": "2015-10-28",
"title": "OpenStack Image Service\u8bbf\u95ee\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e"
}
SUSE-SU-2016:0101-1
Vulnerability from csaf_suse - Published: 2016-01-13 12:31 - Updated: 2016-01-13 12:31Summary
Security update for openstack-glance
Notes
Title of the patch
Security update for openstack-glance
Description of the patch
This update for openstack-glance provides the following fixes:
- Catch NotAuthenticated exception in import task. (bsc#947735, CVE-2015-5286)
- Cleanup chunks for deleted image if token expired. (bsc#947735, CVE-2015-5286)
- Prevent image status being directly modified via v1. (bsc#945994, CVE-2015-5251)
- Fix error when downloading image status is not active. (bsc#945051)
- Add ability to deactivate an image.
Patchnames
sleclo50sp3-openstack-glance-12321
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for openstack-glance",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for openstack-glance provides the following fixes:\n\n- Catch NotAuthenticated exception in import task. (bsc#947735, CVE-2015-5286)\n- Cleanup chunks for deleted image if token expired. (bsc#947735, CVE-2015-5286)\n- Prevent image status being directly modified via v1. (bsc#945994, CVE-2015-5251)\n- Fix error when downloading image status is not active. (bsc#945051)\n- Add ability to deactivate an image.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "sleclo50sp3-openstack-glance-12321",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_0101-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2016:0101-1",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160101-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2016:0101-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2016-January/001795.html"
},
{
"category": "self",
"summary": "SUSE Bug 945051",
"url": "https://bugzilla.suse.com/945051"
},
{
"category": "self",
"summary": "SUSE Bug 945994",
"url": "https://bugzilla.suse.com/945994"
},
{
"category": "self",
"summary": "SUSE Bug 947735",
"url": "https://bugzilla.suse.com/947735"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5251 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5251/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5286 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5286/"
}
],
"title": "Security update for openstack-glance",
"tracking": {
"current_release_date": "2016-01-13T12:31:46Z",
"generator": {
"date": "2016-01-13T12:31:46Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2016:0101-1",
"initial_release_date": "2016-01-13T12:31:46Z",
"revision_history": [
{
"date": "2016-01-13T12:31:46Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-doc-2014.2.4.juno-14.1.noarch",
"product": {
"name": "openstack-glance-doc-2014.2.4.juno-14.1.noarch",
"product_id": "openstack-glance-doc-2014.2.4.juno-14.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-2014.2.4.juno-14.1.x86_64",
"product": {
"name": "openstack-glance-2014.2.4.juno-14.1.x86_64",
"product_id": "openstack-glance-2014.2.4.juno-14.1.x86_64"
}
},
{
"category": "product_version",
"name": "python-glance-2014.2.4.juno-14.1.x86_64",
"product": {
"name": "python-glance-2014.2.4.juno-14.1.x86_64",
"product_id": "python-glance-2014.2.4.juno-14.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 5",
"product": {
"name": "SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:cloud:5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-2014.2.4.juno-14.1.x86_64 as component of SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5:openstack-glance-2014.2.4.juno-14.1.x86_64"
},
"product_reference": "openstack-glance-2014.2.4.juno-14.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-2014.2.4.juno-14.1.noarch as component of SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5:openstack-glance-doc-2014.2.4.juno-14.1.noarch"
},
"product_reference": "openstack-glance-doc-2014.2.4.juno-14.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-2014.2.4.juno-14.1.x86_64 as component of SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5:python-glance-2014.2.4.juno-14.1.x86_64"
},
"product_reference": "python-glance-2014.2.4.juno-14.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-5251",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5251"
}
],
"notes": [
{
"category": "general",
"text": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 5:openstack-glance-2014.2.4.juno-14.1.x86_64",
"SUSE OpenStack Cloud 5:openstack-glance-doc-2014.2.4.juno-14.1.noarch",
"SUSE OpenStack Cloud 5:python-glance-2014.2.4.juno-14.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5251",
"url": "https://www.suse.com/security/cve/CVE-2015-5251"
},
{
"category": "external",
"summary": "SUSE Bug 945994 for CVE-2015-5251",
"url": "https://bugzilla.suse.com/945994"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 5:openstack-glance-2014.2.4.juno-14.1.x86_64",
"SUSE OpenStack Cloud 5:openstack-glance-doc-2014.2.4.juno-14.1.noarch",
"SUSE OpenStack Cloud 5:python-glance-2014.2.4.juno-14.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-01-13T12:31:46Z",
"details": "moderate"
}
],
"title": "CVE-2015-5251"
},
{
"cve": "CVE-2015-5286",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5286"
}
],
"notes": [
{
"category": "general",
"text": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 5:openstack-glance-2014.2.4.juno-14.1.x86_64",
"SUSE OpenStack Cloud 5:openstack-glance-doc-2014.2.4.juno-14.1.noarch",
"SUSE OpenStack Cloud 5:python-glance-2014.2.4.juno-14.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5286",
"url": "https://www.suse.com/security/cve/CVE-2015-5286"
},
{
"category": "external",
"summary": "SUSE Bug 947735 for CVE-2015-5286",
"url": "https://bugzilla.suse.com/947735"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 5:openstack-glance-2014.2.4.juno-14.1.x86_64",
"SUSE OpenStack Cloud 5:openstack-glance-doc-2014.2.4.juno-14.1.noarch",
"SUSE OpenStack Cloud 5:python-glance-2014.2.4.juno-14.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-01-13T12:31:46Z",
"details": "moderate"
}
],
"title": "CVE-2015-5286"
}
]
}
FKIE_CVE-2015-5251
Vulnerability from fkie_nvd - Published: 2015-10-26 17:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | image_registry_and_delivery_service_\(glance\) | * | |
| openstack | image_registry_and_delivery_service_\(glance\) | 2015.1.0 | |
| openstack | image_registry_and_delivery_service_\(glance\) | 2015.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):*:*:*:*:*:*:*:*",
"matchCriteriaId": "0964364D-BB85-4C6C-AC03-9C5654F31B11",
"versionEndIncluding": "2014.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):2015.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C66E0C3C-F6B7-433D-9F93-531594C52D17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):2015.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897FC29D-7439-4BF2-8296-FB33712DCE43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*."
},
{
"lang": "es",
"value": "OpenStack Image Service (Glance) en versiones anteriores a 2014.2.4 (juno) y 2015.1.x en versiones anteriores 2015.1.2 (kilo) permiten a usuarios remotos autenticados cambiar el estado de sus im\u00e1genes y eludir las restricciones de acceso a trav\u00e9s de la cabecera HTTP x-image-meta-status a images/*."
}
],
"id": "CVE-2015-5251",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-10-26T17:59:06.813",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"source": "secalert@redhat.com",
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
RHSA-2015_1897
Vulnerability from csaf_redhat - Published: 2015-10-15 12:29 - Updated: 2024-11-14 15:30Summary
Red Hat Security Advisory: openstack-glance security update
Notes
Topic
Updated openstack-glance packages that fix two security issues are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
OpenStack Image service (glance) provides discovery, registration, and
delivery services for disk and server images. It provides the ability to
copy or snapshot a server image, and immediately store it away. Stored
images can be used as a template to get new servers up and running quickly
and more consistently than installing a server operating system and
individually configuring additional services.
A flaw was discovered in the OpenStack Image service where a
tenant could manipulate the status of their images by submitting an
HTTP PUT request together with an 'x-image-meta-status' header. A
malicious tenant could exploit this flaw to reactivate disabled images,
bypass storage quotas, and in some cases replace image contents (where
they have owner access). Setups using the Image service's v1 API could
allow the illegal modification of image status. Additionally, setups
which also use the v2 API could allow a subsequent re-upload of image
contents. (CVE-2015-5251)
A race-condition flaw was discovered in the OpenStack Image service.
When images in the upload state were deleted using a token close to
expiration, untracked image data could accumulate in the back end.
Because untracked data does not count towards the storage quota, an
attacker could use this flaw to cause a denial of service through
resource exhaustion. (CVE-2015-5286)
Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Hemanth Makkapati of Rackspace as the
original reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of
Mirantis as the original reporters of CVE-2015-5286.
All openstack-glance users are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, running Image service services will be restarted
automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-glance packages that fix two security issues are now\navailable for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Image service (glance) provides discovery, registration, and\ndelivery services for disk and server images. It provides the ability to\ncopy or snapshot a server image, and immediately store it away. Stored\nimages can be used as a template to get new servers up and running quickly\nand more consistently than installing a server operating system and\nindividually configuring additional services.\n\nA flaw was discovered in the OpenStack Image service where a\ntenant could manipulate the status of their images by submitting an\nHTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A\nmalicious tenant could exploit this flaw to reactivate disabled images,\nbypass storage quotas, and in some cases replace image contents (where\nthey have owner access). Setups using the Image service\u0027s v1 API could\nallow the illegal modification of image status. Additionally, setups\nwhich also use the v2 API could allow a subsequent re-upload of image\ncontents. (CVE-2015-5251)\n\nA race-condition flaw was discovered in the OpenStack Image service.\nWhen images in the upload state were deleted using a token close to\nexpiration, untracked image data could accumulate in the back end.\nBecause untracked data does not count towards the storage quota, an\nattacker could use this flaw to cause a denial of service through\nresource exhaustion. (CVE-2015-5286)\n\nRed Hat would like to thank the OpenStack project for reporting these\nissues. Upstream acknowledges Hemanth Makkapati of Rackspace as the\noriginal reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of\nMirantis as the original reporters of CVE-2015-5286.\n\nAll openstack-glance users are advised to upgrade to these updated\npackages, which correct these issues. After installing the updated\npackages, running Image service services will be restarted\nautomatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1897",
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1897.json"
}
],
"title": "Red Hat Security Advisory: openstack-glance security update",
"tracking": {
"current_release_date": "2024-11-14T15:30:32+00:00",
"generator": {
"date": "2024-11-14T15:30:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2015:1897",
"initial_release_date": "2015-10-15T12:29:01+00:00",
"revision_history": [
{
"date": "2015-10-15T12:29:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-15T12:29:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T15:30:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:6::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2015.1.1-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Hemanth Makkapati"
],
"organization": "Rackspace",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5251",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2015-09-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1263511"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the OpenStack Image service (glance) where a tenant could manipulate the status of their images by submitting an HTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A malicious tenant could exploit this flaw to reactivate disabled images, bypass storage quotas, and in some cases replace image contents (where they have owner access). Setups using the Image service\u0027s v1 API could allow the illegal modification of image status. Additionally, setups which also use the v2 API could allow a subsequent re-upload of image contents.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance allows illegal modification of image status",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5251"
},
{
"category": "external",
"summary": "RHBZ#1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251"
}
],
"release_date": "2015-09-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance allows illegal modification of image status"
},
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Mike Fedosin"
],
"summary": "Acknowledged by upstream."
},
{
"names": [
"Alexei Galkin"
],
"organization": "Mirantis",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5286",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2015-09-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1267516"
}
],
"notes": [
{
"category": "description",
"text": "A race-condition flaw was discovered in the OpenStack Image service (glance). When images in the upload state were deleted using a token close to expiration, untracked image data could accumulate in the back end. Because untracked data does not count towards the storage quota, an attacker could use this flaw to cause a denial of service through resource exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance: Storage overrun by deleting images",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5286"
},
{
"category": "external",
"summary": "RHBZ#1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5286",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5286"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286"
}
],
"release_date": "2015-10-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance: Storage overrun by deleting images"
}
]
}
RHSA-2015:1897
Vulnerability from csaf_redhat - Published: 2015-10-15 12:29 - Updated: 2025-11-21 17:53Summary
Red Hat Security Advisory: openstack-glance security update
Notes
Topic
Updated openstack-glance packages that fix two security issues are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
OpenStack Image service (glance) provides discovery, registration, and
delivery services for disk and server images. It provides the ability to
copy or snapshot a server image, and immediately store it away. Stored
images can be used as a template to get new servers up and running quickly
and more consistently than installing a server operating system and
individually configuring additional services.
A flaw was discovered in the OpenStack Image service where a
tenant could manipulate the status of their images by submitting an
HTTP PUT request together with an 'x-image-meta-status' header. A
malicious tenant could exploit this flaw to reactivate disabled images,
bypass storage quotas, and in some cases replace image contents (where
they have owner access). Setups using the Image service's v1 API could
allow the illegal modification of image status. Additionally, setups
which also use the v2 API could allow a subsequent re-upload of image
contents. (CVE-2015-5251)
A race-condition flaw was discovered in the OpenStack Image service.
When images in the upload state were deleted using a token close to
expiration, untracked image data could accumulate in the back end.
Because untracked data does not count towards the storage quota, an
attacker could use this flaw to cause a denial of service through
resource exhaustion. (CVE-2015-5286)
Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Hemanth Makkapati of Rackspace as the
original reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of
Mirantis as the original reporters of CVE-2015-5286.
All openstack-glance users are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, running Image service services will be restarted
automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-glance packages that fix two security issues are now\navailable for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Image service (glance) provides discovery, registration, and\ndelivery services for disk and server images. It provides the ability to\ncopy or snapshot a server image, and immediately store it away. Stored\nimages can be used as a template to get new servers up and running quickly\nand more consistently than installing a server operating system and\nindividually configuring additional services.\n\nA flaw was discovered in the OpenStack Image service where a\ntenant could manipulate the status of their images by submitting an\nHTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A\nmalicious tenant could exploit this flaw to reactivate disabled images,\nbypass storage quotas, and in some cases replace image contents (where\nthey have owner access). Setups using the Image service\u0027s v1 API could\nallow the illegal modification of image status. Additionally, setups\nwhich also use the v2 API could allow a subsequent re-upload of image\ncontents. (CVE-2015-5251)\n\nA race-condition flaw was discovered in the OpenStack Image service.\nWhen images in the upload state were deleted using a token close to\nexpiration, untracked image data could accumulate in the back end.\nBecause untracked data does not count towards the storage quota, an\nattacker could use this flaw to cause a denial of service through\nresource exhaustion. (CVE-2015-5286)\n\nRed Hat would like to thank the OpenStack project for reporting these\nissues. Upstream acknowledges Hemanth Makkapati of Rackspace as the\noriginal reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of\nMirantis as the original reporters of CVE-2015-5286.\n\nAll openstack-glance users are advised to upgrade to these updated\npackages, which correct these issues. After installing the updated\npackages, running Image service services will be restarted\nautomatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1897",
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1897.json"
}
],
"title": "Red Hat Security Advisory: openstack-glance security update",
"tracking": {
"current_release_date": "2025-11-21T17:53:44+00:00",
"generator": {
"date": "2025-11-21T17:53:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2015:1897",
"initial_release_date": "2015-10-15T12:29:01+00:00",
"revision_history": [
{
"date": "2015-10-15T12:29:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-15T12:29:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:53:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:6::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2015.1.1-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Hemanth Makkapati"
],
"organization": "Rackspace",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5251",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2015-09-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1263511"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the OpenStack Image service (glance) where a tenant could manipulate the status of their images by submitting an HTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A malicious tenant could exploit this flaw to reactivate disabled images, bypass storage quotas, and in some cases replace image contents (where they have owner access). Setups using the Image service\u0027s v1 API could allow the illegal modification of image status. Additionally, setups which also use the v2 API could allow a subsequent re-upload of image contents.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance allows illegal modification of image status",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5251"
},
{
"category": "external",
"summary": "RHBZ#1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251"
}
],
"release_date": "2015-09-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance allows illegal modification of image status"
},
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Mike Fedosin"
],
"summary": "Acknowledged by upstream."
},
{
"names": [
"Alexei Galkin"
],
"organization": "Mirantis",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5286",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2015-09-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1267516"
}
],
"notes": [
{
"category": "description",
"text": "A race-condition flaw was discovered in the OpenStack Image service (glance). When images in the upload state were deleted using a token close to expiration, untracked image data could accumulate in the back end. Because untracked data does not count towards the storage quota, an attacker could use this flaw to cause a denial of service through resource exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance: Storage overrun by deleting images",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5286"
},
{
"category": "external",
"summary": "RHBZ#1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5286",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5286"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286"
}
],
"release_date": "2015-10-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance: Storage overrun by deleting images"
}
]
}
GHSA-Q748-MCWG-XMQV
Vulnerability from github – Published: 2022-05-17 04:04 – Updated: 2023-02-08 17:59
VLAI?
Summary
OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions
Details
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "glance"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2014.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "glance"
},
"ranges": [
{
"events": [
{
"introduced": "2015.1.0"
},
{
"fixed": "2015.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5251"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T17:59:13Z",
"nvd_published_at": "2015-10-26T17:59:00Z",
"severity": "MODERATE"
},
"details": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.",
"id": "GHSA-q748-mcwg-xmqv",
"modified": "2023-02-08T17:59:13Z",
"published": "2022-05-17T04:04:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2015-5251"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"type": "PACKAGE",
"url": "https://opendev.org/openstack/glance"
},
{
"type": "WEB",
"url": "https://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions"
}
GSD-2015-5251
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-5251",
"description": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.",
"id": "GSD-2015-5251",
"references": [
"https://www.suse.com/security/cve/CVE-2015-5251.html",
"https://access.redhat.com/errata/RHSA-2015:1897",
"https://ubuntu.com/security/CVE-2015-5251"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-5251"
],
"details": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.",
"id": "GSD-2015-5251",
"modified": "2023-12-13T01:20:06.268879Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://rhn.redhat.com/errata/RHSA-2015-1897.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"name": "https://bugs.launchpad.net/bugs/1482371",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"name": "https://security.openstack.org/ossa/OSSA-2015-019.html",
"refsource": "MISC",
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2014.2.4||\u003e=2015.1.0,\u003c2015.1.2",
"affected_versions": "All versions before 2014.2.4, all versions starting from 2015.1.0 before 2015.1.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2023-02-08",
"description": "A flaw was discovered in the OpenStack Image service (glance) where a tenant could manipulate the status of their images by submitting an HTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A malicious tenant could exploit this flaw to reactivate disabled images, bypass storage quotas, and in some cases replace image contents (where they have owner access). Setups using the Image service\u0027s v1 API could allow the illegal modification of image status. Additionally, setups which also use the v2 API could allow a subsequent re-upload of image contents.",
"fixed_versions": [
"2014.2.4",
"2015.1.2"
],
"identifier": "CVE-2015-5251",
"identifiers": [
"GHSA-q748-mcwg-xmqv",
"CVE-2015-5251"
],
"not_impacted": "All versions starting from 2014.2.4 before 2015.1.0, all versions starting from 2015.1.2",
"package_slug": "pypi/glance",
"pubdate": "2022-05-17",
"solution": "Upgrade to versions 2014.2.4, 2015.1.2 or above.",
"title": "OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-5251",
"https://bugs.launchpad.net/bugs/1482371",
"https://security.openstack.org/ossa/OSSA-2015-019.html",
"http://rhn.redhat.com/errata/RHSA-2015-1897.html",
"https://access.redhat.com/errata/RHSA-2015:1897",
"https://access.redhat.com/security/cve/CVE-2015-5251",
"https://bugzilla.redhat.com/show_bug.cgi?id=1263511",
"https://github.com/advisories/GHSA-q748-mcwg-xmqv"
],
"uuid": "c40ea2b8-b659-436d-aed6-b1e44fff939e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2014.2.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):2015.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):2015.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5251"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2015:1897",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"name": "https://security.openstack.org/ossa/OSSA-2015-019.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
},
{
"name": "https://bugs.launchpad.net/bugs/1482371",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugs.launchpad.net/bugs/1482371"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:52Z",
"publishedDate": "2015-10-26T17:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…