Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2015-5251
Vulnerability from cvelistv5
Published
2015-10-26 17:00
Modified
2024-08-06 06:41
Severity ?
EPSS score ?
Summary
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:08.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"name": "RHSA-2015:1897",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-10-26T16:57:02",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"name": "RHSA-2015:1897",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5251",
"datePublished": "2015-10-26T17:00:00",
"dateReserved": "2015-07-01T00:00:00",
"dateUpdated": "2024-08-06T06:41:08.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2014.2.3\", \"matchCriteriaId\": \"0964364D-BB85-4C6C-AC03-9C5654F31B11\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):2015.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C66E0C3C-F6B7-433D-9F93-531594C52D17\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):2015.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"897FC29D-7439-4BF2-8296-FB33712DCE43\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.\"}, {\"lang\": \"es\", \"value\": \"OpenStack Image Service (Glance) en versiones anteriores a 2014.2.4 (juno) y 2015.1.x en versiones anteriores 2015.1.2 (kilo) permiten a usuarios remotos autenticados cambiar el estado de sus im\\u00e1genes y eludir las restricciones de acceso a trav\\u00e9s de la cabecera HTTP x-image-meta-status a images/*.\"}]",
"id": "CVE-2015-5251",
"lastModified": "2024-11-21T02:32:38.873",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:P\", \"baseScore\": 5.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2015-10-26T17:59:06.813",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1897.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugs.launchpad.net/bugs/1482371\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://security.openstack.org/ossa/OSSA-2015-019.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1897.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugs.launchpad.net/bugs/1482371\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.openstack.org/ossa/OSSA-2015-019.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2015-5251\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-10-26T17:59:06.813\",\"lastModified\":\"2024-11-21T02:32:38.873\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.\"},{\"lang\":\"es\",\"value\":\"OpenStack Image Service (Glance) en versiones anteriores a 2014.2.4 (juno) y 2015.1.x en versiones anteriores 2015.1.2 (kilo) permiten a usuarios remotos autenticados cambiar el estado de sus im\u00e1genes y eludir las restricciones de acceso a trav\u00e9s de la cabecera HTTP x-image-meta-status a images/*.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:P\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2014.2.3\",\"matchCriteriaId\":\"0964364D-BB85-4C6C-AC03-9C5654F31B11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):2015.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C66E0C3C-F6B7-433D-9F93-531594C52D17\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:image_registry_and_delivery_service_\\\\(glance\\\\):2015.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"897FC29D-7439-4BF2-8296-FB33712DCE43\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1897.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugs.launchpad.net/bugs/1482371\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.openstack.org/ossa/OSSA-2015-019.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1897.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugs.launchpad.net/bugs/1482371\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.openstack.org/ossa/OSSA-2015-019.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
ghsa-q748-mcwg-xmqv
Vulnerability from github
Published
2022-05-17 04:04
Modified
2023-02-08 17:59
Summary
OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions
Details
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "glance"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2014.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "glance"
},
"ranges": [
{
"events": [
{
"introduced": "2015.1.0"
},
{
"fixed": "2015.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5251"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T17:59:13Z",
"nvd_published_at": "2015-10-26T17:59:00Z",
"severity": "MODERATE"
},
"details": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.",
"id": "GHSA-q748-mcwg-xmqv",
"modified": "2023-02-08T17:59:13Z",
"published": "2022-05-17T04:04:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2015-5251"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"type": "PACKAGE",
"url": "https://opendev.org/openstack/glance"
},
{
"type": "WEB",
"url": "https://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions"
}
fkie_cve-2015-5251
Vulnerability from fkie_nvd
Published
2015-10-26 17:59
Modified
2024-11-21 02:32
Severity ?
Summary
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | image_registry_and_delivery_service_\(glance\) | * | |
| openstack | image_registry_and_delivery_service_\(glance\) | 2015.1.0 | |
| openstack | image_registry_and_delivery_service_\(glance\) | 2015.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):*:*:*:*:*:*:*:*",
"matchCriteriaId": "0964364D-BB85-4C6C-AC03-9C5654F31B11",
"versionEndIncluding": "2014.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):2015.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C66E0C3C-F6B7-433D-9F93-531594C52D17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):2015.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897FC29D-7439-4BF2-8296-FB33712DCE43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*."
},
{
"lang": "es",
"value": "OpenStack Image Service (Glance) en versiones anteriores a 2014.2.4 (juno) y 2015.1.x en versiones anteriores 2015.1.2 (kilo) permiten a usuarios remotos autenticados cambiar el estado de sus im\u00e1genes y eludir las restricciones de acceso a trav\u00e9s de la cabecera HTTP x-image-meta-status a images/*."
}
],
"id": "CVE-2015-5251",
"lastModified": "2024-11-21T02:32:38.873",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-10-26T17:59:06.813",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"source": "secalert@redhat.com",
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
RHSA-2015:1897
Vulnerability from csaf_redhat
Published
2015-10-15 12:29
Modified
2024-11-14 15:30
Summary
Red Hat Security Advisory: openstack-glance security update
Notes
Topic
Updated openstack-glance packages that fix two security issues are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
OpenStack Image service (glance) provides discovery, registration, and
delivery services for disk and server images. It provides the ability to
copy or snapshot a server image, and immediately store it away. Stored
images can be used as a template to get new servers up and running quickly
and more consistently than installing a server operating system and
individually configuring additional services.
A flaw was discovered in the OpenStack Image service where a
tenant could manipulate the status of their images by submitting an
HTTP PUT request together with an 'x-image-meta-status' header. A
malicious tenant could exploit this flaw to reactivate disabled images,
bypass storage quotas, and in some cases replace image contents (where
they have owner access). Setups using the Image service's v1 API could
allow the illegal modification of image status. Additionally, setups
which also use the v2 API could allow a subsequent re-upload of image
contents. (CVE-2015-5251)
A race-condition flaw was discovered in the OpenStack Image service.
When images in the upload state were deleted using a token close to
expiration, untracked image data could accumulate in the back end.
Because untracked data does not count towards the storage quota, an
attacker could use this flaw to cause a denial of service through
resource exhaustion. (CVE-2015-5286)
Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Hemanth Makkapati of Rackspace as the
original reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of
Mirantis as the original reporters of CVE-2015-5286.
All openstack-glance users are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, running Image service services will be restarted
automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-glance packages that fix two security issues are now\navailable for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Image service (glance) provides discovery, registration, and\ndelivery services for disk and server images. It provides the ability to\ncopy or snapshot a server image, and immediately store it away. Stored\nimages can be used as a template to get new servers up and running quickly\nand more consistently than installing a server operating system and\nindividually configuring additional services.\n\nA flaw was discovered in the OpenStack Image service where a\ntenant could manipulate the status of their images by submitting an\nHTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A\nmalicious tenant could exploit this flaw to reactivate disabled images,\nbypass storage quotas, and in some cases replace image contents (where\nthey have owner access). Setups using the Image service\u0027s v1 API could\nallow the illegal modification of image status. Additionally, setups\nwhich also use the v2 API could allow a subsequent re-upload of image\ncontents. (CVE-2015-5251)\n\nA race-condition flaw was discovered in the OpenStack Image service.\nWhen images in the upload state were deleted using a token close to\nexpiration, untracked image data could accumulate in the back end.\nBecause untracked data does not count towards the storage quota, an\nattacker could use this flaw to cause a denial of service through\nresource exhaustion. (CVE-2015-5286)\n\nRed Hat would like to thank the OpenStack project for reporting these\nissues. Upstream acknowledges Hemanth Makkapati of Rackspace as the\noriginal reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of\nMirantis as the original reporters of CVE-2015-5286.\n\nAll openstack-glance users are advised to upgrade to these updated\npackages, which correct these issues. After installing the updated\npackages, running Image service services will be restarted\nautomatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1897",
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1897.json"
}
],
"title": "Red Hat Security Advisory: openstack-glance security update",
"tracking": {
"current_release_date": "2024-11-14T15:30:32+00:00",
"generator": {
"date": "2024-11-14T15:30:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2015:1897",
"initial_release_date": "2015-10-15T12:29:01+00:00",
"revision_history": [
{
"date": "2015-10-15T12:29:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-15T12:29:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T15:30:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:6::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2015.1.1-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Hemanth Makkapati"
],
"organization": "Rackspace",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5251",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2015-09-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1263511"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the OpenStack Image service (glance) where a tenant could manipulate the status of their images by submitting an HTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A malicious tenant could exploit this flaw to reactivate disabled images, bypass storage quotas, and in some cases replace image contents (where they have owner access). Setups using the Image service\u0027s v1 API could allow the illegal modification of image status. Additionally, setups which also use the v2 API could allow a subsequent re-upload of image contents.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance allows illegal modification of image status",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5251"
},
{
"category": "external",
"summary": "RHBZ#1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251"
}
],
"release_date": "2015-09-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance allows illegal modification of image status"
},
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Mike Fedosin"
],
"summary": "Acknowledged by upstream."
},
{
"names": [
"Alexei Galkin"
],
"organization": "Mirantis",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5286",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2015-09-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1267516"
}
],
"notes": [
{
"category": "description",
"text": "A race-condition flaw was discovered in the OpenStack Image service (glance). When images in the upload state were deleted using a token close to expiration, untracked image data could accumulate in the back end. Because untracked data does not count towards the storage quota, an attacker could use this flaw to cause a denial of service through resource exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance: Storage overrun by deleting images",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5286"
},
{
"category": "external",
"summary": "RHBZ#1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5286",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5286"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286"
}
],
"release_date": "2015-10-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance: Storage overrun by deleting images"
}
]
}
rhsa-2015:1897
Vulnerability from csaf_redhat
Published
2015-10-15 12:29
Modified
2024-11-14 15:30
Summary
Red Hat Security Advisory: openstack-glance security update
Notes
Topic
Updated openstack-glance packages that fix two security issues are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
OpenStack Image service (glance) provides discovery, registration, and
delivery services for disk and server images. It provides the ability to
copy or snapshot a server image, and immediately store it away. Stored
images can be used as a template to get new servers up and running quickly
and more consistently than installing a server operating system and
individually configuring additional services.
A flaw was discovered in the OpenStack Image service where a
tenant could manipulate the status of their images by submitting an
HTTP PUT request together with an 'x-image-meta-status' header. A
malicious tenant could exploit this flaw to reactivate disabled images,
bypass storage quotas, and in some cases replace image contents (where
they have owner access). Setups using the Image service's v1 API could
allow the illegal modification of image status. Additionally, setups
which also use the v2 API could allow a subsequent re-upload of image
contents. (CVE-2015-5251)
A race-condition flaw was discovered in the OpenStack Image service.
When images in the upload state were deleted using a token close to
expiration, untracked image data could accumulate in the back end.
Because untracked data does not count towards the storage quota, an
attacker could use this flaw to cause a denial of service through
resource exhaustion. (CVE-2015-5286)
Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Hemanth Makkapati of Rackspace as the
original reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of
Mirantis as the original reporters of CVE-2015-5286.
All openstack-glance users are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, running Image service services will be restarted
automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-glance packages that fix two security issues are now\navailable for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Image service (glance) provides discovery, registration, and\ndelivery services for disk and server images. It provides the ability to\ncopy or snapshot a server image, and immediately store it away. Stored\nimages can be used as a template to get new servers up and running quickly\nand more consistently than installing a server operating system and\nindividually configuring additional services.\n\nA flaw was discovered in the OpenStack Image service where a\ntenant could manipulate the status of their images by submitting an\nHTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A\nmalicious tenant could exploit this flaw to reactivate disabled images,\nbypass storage quotas, and in some cases replace image contents (where\nthey have owner access). Setups using the Image service\u0027s v1 API could\nallow the illegal modification of image status. Additionally, setups\nwhich also use the v2 API could allow a subsequent re-upload of image\ncontents. (CVE-2015-5251)\n\nA race-condition flaw was discovered in the OpenStack Image service.\nWhen images in the upload state were deleted using a token close to\nexpiration, untracked image data could accumulate in the back end.\nBecause untracked data does not count towards the storage quota, an\nattacker could use this flaw to cause a denial of service through\nresource exhaustion. (CVE-2015-5286)\n\nRed Hat would like to thank the OpenStack project for reporting these\nissues. Upstream acknowledges Hemanth Makkapati of Rackspace as the\noriginal reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of\nMirantis as the original reporters of CVE-2015-5286.\n\nAll openstack-glance users are advised to upgrade to these updated\npackages, which correct these issues. After installing the updated\npackages, running Image service services will be restarted\nautomatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1897",
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1897.json"
}
],
"title": "Red Hat Security Advisory: openstack-glance security update",
"tracking": {
"current_release_date": "2024-11-14T15:30:32+00:00",
"generator": {
"date": "2024-11-14T15:30:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2015:1897",
"initial_release_date": "2015-10-15T12:29:01+00:00",
"revision_history": [
{
"date": "2015-10-15T12:29:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-15T12:29:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T15:30:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:6::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2015.1.1-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Hemanth Makkapati"
],
"organization": "Rackspace",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5251",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2015-09-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1263511"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the OpenStack Image service (glance) where a tenant could manipulate the status of their images by submitting an HTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A malicious tenant could exploit this flaw to reactivate disabled images, bypass storage quotas, and in some cases replace image contents (where they have owner access). Setups using the Image service\u0027s v1 API could allow the illegal modification of image status. Additionally, setups which also use the v2 API could allow a subsequent re-upload of image contents.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance allows illegal modification of image status",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5251"
},
{
"category": "external",
"summary": "RHBZ#1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251"
}
],
"release_date": "2015-09-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance allows illegal modification of image status"
},
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Mike Fedosin"
],
"summary": "Acknowledged by upstream."
},
{
"names": [
"Alexei Galkin"
],
"organization": "Mirantis",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5286",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2015-09-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1267516"
}
],
"notes": [
{
"category": "description",
"text": "A race-condition flaw was discovered in the OpenStack Image service (glance). When images in the upload state were deleted using a token close to expiration, untracked image data could accumulate in the back end. Because untracked data does not count towards the storage quota, an attacker could use this flaw to cause a denial of service through resource exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance: Storage overrun by deleting images",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5286"
},
{
"category": "external",
"summary": "RHBZ#1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5286",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5286"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286"
}
],
"release_date": "2015-10-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance: Storage overrun by deleting images"
}
]
}
rhsa-2015_1897
Vulnerability from csaf_redhat
Published
2015-10-15 12:29
Modified
2024-11-14 15:30
Summary
Red Hat Security Advisory: openstack-glance security update
Notes
Topic
Updated openstack-glance packages that fix two security issues are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
OpenStack Image service (glance) provides discovery, registration, and
delivery services for disk and server images. It provides the ability to
copy or snapshot a server image, and immediately store it away. Stored
images can be used as a template to get new servers up and running quickly
and more consistently than installing a server operating system and
individually configuring additional services.
A flaw was discovered in the OpenStack Image service where a
tenant could manipulate the status of their images by submitting an
HTTP PUT request together with an 'x-image-meta-status' header. A
malicious tenant could exploit this flaw to reactivate disabled images,
bypass storage quotas, and in some cases replace image contents (where
they have owner access). Setups using the Image service's v1 API could
allow the illegal modification of image status. Additionally, setups
which also use the v2 API could allow a subsequent re-upload of image
contents. (CVE-2015-5251)
A race-condition flaw was discovered in the OpenStack Image service.
When images in the upload state were deleted using a token close to
expiration, untracked image data could accumulate in the back end.
Because untracked data does not count towards the storage quota, an
attacker could use this flaw to cause a denial of service through
resource exhaustion. (CVE-2015-5286)
Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Hemanth Makkapati of Rackspace as the
original reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of
Mirantis as the original reporters of CVE-2015-5286.
All openstack-glance users are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, running Image service services will be restarted
automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-glance packages that fix two security issues are now\navailable for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Image service (glance) provides discovery, registration, and\ndelivery services for disk and server images. It provides the ability to\ncopy or snapshot a server image, and immediately store it away. Stored\nimages can be used as a template to get new servers up and running quickly\nand more consistently than installing a server operating system and\nindividually configuring additional services.\n\nA flaw was discovered in the OpenStack Image service where a\ntenant could manipulate the status of their images by submitting an\nHTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A\nmalicious tenant could exploit this flaw to reactivate disabled images,\nbypass storage quotas, and in some cases replace image contents (where\nthey have owner access). Setups using the Image service\u0027s v1 API could\nallow the illegal modification of image status. Additionally, setups\nwhich also use the v2 API could allow a subsequent re-upload of image\ncontents. (CVE-2015-5251)\n\nA race-condition flaw was discovered in the OpenStack Image service.\nWhen images in the upload state were deleted using a token close to\nexpiration, untracked image data could accumulate in the back end.\nBecause untracked data does not count towards the storage quota, an\nattacker could use this flaw to cause a denial of service through\nresource exhaustion. (CVE-2015-5286)\n\nRed Hat would like to thank the OpenStack project for reporting these\nissues. Upstream acknowledges Hemanth Makkapati of Rackspace as the\noriginal reporter of CVE-2015-5251, and Mike Fedosin and Alexei Galkin of\nMirantis as the original reporters of CVE-2015-5286.\n\nAll openstack-glance users are advised to upgrade to these updated\npackages, which correct these issues. After installing the updated\npackages, running Image service services will be restarted\nautomatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1897",
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1897.json"
}
],
"title": "Red Hat Security Advisory: openstack-glance security update",
"tracking": {
"current_release_date": "2024-11-14T15:30:32+00:00",
"generator": {
"date": "2024-11-14T15:30:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2015:1897",
"initial_release_date": "2015-10-15T12:29:01+00:00",
"revision_history": [
{
"date": "2015-10-15T12:29:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-15T12:29:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T15:30:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:6::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "python-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "python-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_id": "python-glance-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-glance@2015.1.1-3.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_id": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance-doc@2015.1.1-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el6ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_id": "openstack-glance-0:2014.1.5-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.1.5-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_id": "openstack-glance-0:2014.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2014.2.3-3.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_id": "openstack-glance-0:2015.1.1-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-glance@2015.1.1-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.1.5-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.1.5-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.1.5-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.1.5-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2014.2.3-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2014.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2014.2.3-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2014.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-0:2015.1.1-3.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src"
},
"product_reference": "openstack-glance-0:2015.1.1-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-glance-0:2015.1.1-3.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
},
"product_reference": "python-glance-0:2015.1.1-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Hemanth Makkapati"
],
"organization": "Rackspace",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5251",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2015-09-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1263511"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the OpenStack Image service (glance) where a tenant could manipulate the status of their images by submitting an HTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A malicious tenant could exploit this flaw to reactivate disabled images, bypass storage quotas, and in some cases replace image contents (where they have owner access). Setups using the Image service\u0027s v1 API could allow the illegal modification of image status. Additionally, setups which also use the v2 API could allow a subsequent re-upload of image contents.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance allows illegal modification of image status",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5251"
},
{
"category": "external",
"summary": "RHBZ#1263511",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1263511"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5251"
}
],
"release_date": "2015-09-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance allows illegal modification of image status"
},
{
"acknowledgments": [
{
"names": [
"OpenStack project"
]
},
{
"names": [
"Mike Fedosin"
],
"summary": "Acknowledged by upstream."
},
{
"names": [
"Alexei Galkin"
],
"organization": "Mirantis",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2015-5286",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2015-09-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1267516"
}
],
"notes": [
{
"category": "description",
"text": "A race-condition flaw was discovered in the OpenStack Image service (glance). When images in the upload state were deleted using a token close to expiration, untracked image data could accumulate in the back end. Because untracked data does not count towards the storage quota, an attacker could use this flaw to cause a denial of service through resource exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-glance: Storage overrun by deleting images",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5286"
},
{
"category": "external",
"summary": "RHBZ#1267516",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267516"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5286",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5286"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5286"
}
],
"release_date": "2015-10-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-15T12:29:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1897"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-glance-0:2014.1.5-3.el6ost.src",
"6Server-RH6-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-glance-0:2014.1.5-3.el6ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-glance-0:2014.1.5-3.el7ost.src",
"7Server-RH7-RHOS-5.0:openstack-glance-doc-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-glance-0:2014.1.5-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-glance-0:2014.2.3-3.el7ost.src",
"7Server-RH7-RHOS-6.0:openstack-glance-doc-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-glance-0:2014.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:openstack-glance-0:2015.1.1-3.el7ost.src",
"7Server-RH7-RHOS-7.0:openstack-glance-doc-0:2015.1.1-3.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-glance-0:2015.1.1-3.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-glance: Storage overrun by deleting images"
}
]
}
gsd-2015-5251
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-5251",
"description": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.",
"id": "GSD-2015-5251",
"references": [
"https://www.suse.com/security/cve/CVE-2015-5251.html",
"https://access.redhat.com/errata/RHSA-2015:1897",
"https://ubuntu.com/security/CVE-2015-5251"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-5251"
],
"details": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.",
"id": "GSD-2015-5251",
"modified": "2023-12-13T01:20:06.268879Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://rhn.redhat.com/errata/RHSA-2015-1897.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"name": "https://bugs.launchpad.net/bugs/1482371",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/bugs/1482371"
},
{
"name": "https://security.openstack.org/ossa/OSSA-2015-019.html",
"refsource": "MISC",
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2014.2.4||\u003e=2015.1.0,\u003c2015.1.2",
"affected_versions": "All versions before 2014.2.4, all versions starting from 2015.1.0 before 2015.1.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2023-02-08",
"description": "A flaw was discovered in the OpenStack Image service (glance) where a tenant could manipulate the status of their images by submitting an HTTP PUT request together with an \u0027x-image-meta-status\u0027 header. A malicious tenant could exploit this flaw to reactivate disabled images, bypass storage quotas, and in some cases replace image contents (where they have owner access). Setups using the Image service\u0027s v1 API could allow the illegal modification of image status. Additionally, setups which also use the v2 API could allow a subsequent re-upload of image contents.",
"fixed_versions": [
"2014.2.4",
"2015.1.2"
],
"identifier": "CVE-2015-5251",
"identifiers": [
"GHSA-q748-mcwg-xmqv",
"CVE-2015-5251"
],
"not_impacted": "All versions starting from 2014.2.4 before 2015.1.0, all versions starting from 2015.1.2",
"package_slug": "pypi/glance",
"pubdate": "2022-05-17",
"solution": "Upgrade to versions 2014.2.4, 2015.1.2 or above.",
"title": "OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-5251",
"https://bugs.launchpad.net/bugs/1482371",
"https://security.openstack.org/ossa/OSSA-2015-019.html",
"http://rhn.redhat.com/errata/RHSA-2015-1897.html",
"https://access.redhat.com/errata/RHSA-2015:1897",
"https://access.redhat.com/security/cve/CVE-2015-5251",
"https://bugzilla.redhat.com/show_bug.cgi?id=1263511",
"https://github.com/advisories/GHSA-q748-mcwg-xmqv"
],
"uuid": "c40ea2b8-b659-436d-aed6-b1e44fff939e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2014.2.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):2015.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:image_registry_and_delivery_service_\\(glance\\):2015.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5251"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2015:1897",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1897.html"
},
{
"name": "https://security.openstack.org/ossa/OSSA-2015-019.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://security.openstack.org/ossa/OSSA-2015-019.html"
},
{
"name": "https://bugs.launchpad.net/bugs/1482371",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugs.launchpad.net/bugs/1482371"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:52Z",
"publishedDate": "2015-10-26T17:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.