1181533 – (CVE-2015-1195) CVE-2015-1195 openstack-glance: unrestricted path traversal flaw (incomplete fix for CVE-2014-9493) (OSSA 2015-002)

Bug 1181533 (CVE-2015-1195) - CVE-2015-1195 openstack-glance: unrestricted path traversal flaw (incomplete fix for CVE-2014-9493) (OSSA 2015-002)

Summary: CVE-2015-1195 openstack-glance: unrestricted path traversal flaw (incomplete ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-1195
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1174476
TreeView+	depends on / blocked

Reported:	2015-01-13 10:53 UTC by Martin Prpič
Modified:	2023-05-12 06:50 UTC (History)
CC List:	31 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was discovered that the fix for CVE-2014-9493 was incomplete: an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.
Clone Of:
Environment:
Last Closed:	2015-02-19 21:58:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2015-01-13 10:53:25 UTC

Title: Glance v2 API unrestricted path traversal through filesystem:// scheme
Reporter: Jin Liu (EMC)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1

Description:
Jin Liu from EMC reported that path traversal vulnerabilities in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

References:
https://launchpad.net/bugs/1408663

Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Jin Liu of EMC as the original reporter.

Comment 1 Martin Prpič 2015-01-13 10:55:03 UTC

CVE request: http://seclists.org/oss-sec/2015/q1/124

Comment 4 Garth Mollett 2015-02-19 21:56:09 UTC

Statement:

The fix for CVE-2014-9493 is complete and openstack-glance for Red Hat Enterprise Linux Open Stack Platform 4.0 and 5.0 is not affected by this issue.

This issue did not affect the version of openstack-glance as shipped with Red Hat Enterprise Linux Open Stack Platform 6.0.

Note You need to log in before you can comment on or make changes to this bug.

abaron
akscram
alexander.sakhnov
aortega
apevec
ayoung
bfilippov
chrisw
dallan
eglynn
fpercoco
gkotton
gmollett
itamar
jobernar
jonathansteffan
jose.castro.leon
karlthered
lhh
lpeer
markmc
mlvov
mmagr
ndipanov
nsantos
p
rbryant
rk
sclewis
vkaigoro
yeylon