Bug 1174474 (CVE-2014-9493)
Summary: | CVE-2014-9493 openstack-glance: unrestricted path traversal flaw | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abaron, abelopez, akscram, alexander.sakhnov, aortega, apevec, ayoung, bfilippov, chrisw, dallan, eglynn, fpercoco, gkotton, gmollett, itamar, jobernar, jonathansteffan, jose.castro.leon, jrusnack, karlthered, lhh, lpeer, markmc, mlvov, mmagr, ndipanov, nsantos, p, rbryant, rk, sclewis, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was discovered that an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-19 21:33:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1174477, 1174478, 1174482, 1174483, 1174484, 1174485 | ||
Bug Blocks: | 1174476 |
Description
Vincent Danen
2014-12-15 22:02:43 UTC
Created openstack-glance tracking bugs for this issue: Affects: fedora-all [bug 1174477] Affects: openstack-rdo [bug 1174478] Note that this was disclosed Dec 15 and is still waiting on a CVE assignment: http://www.openwall.com/lists/oss-security/2014/12/15/8 We have patches ready here; do we wait for a CVE assignment for tracking or not? Upstream fixes are incomplete. They only block the file:// uri leaving other options (at least filesystem://) that still allow access to files. See: https://bugs.launchpad.net/glance/+bug/1400966/comments/44 (In reply to Garth Mollett from comment #7) > Upstream fixes are incomplete. They only block the file:// uri leaving other > options (at least filesystem://) that still allow access to files. > > See: > > https://bugs.launchpad.net/glance/+bug/1400966/comments/44 New upstream bug: https://bugs.launchpad.net/ossa/+bug/1408663 *** Bug 1174907 has been marked as a duplicate of this bug. *** This issue has been addressed in the following products: OpenStack 5 for RHEL 6 OpenStack 5 for RHEL 7 OpenStack 4 for RHEL 6 Via RHSA-2015:0246 https://rhn.redhat.com/errata/RHSA-2015-0246.html |