Bug 1181533 (CVE-2015-1195) - CVE-2015-1195 openstack-glance: unrestricted path traversal flaw (incomplete fix for CVE-2014-9493) (OSSA 2015-002)
Summary: CVE-2015-1195 openstack-glance: unrestricted path traversal flaw (incomplete ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-1195
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1174476
TreeView+ depends on / blocked
 
Reported: 2015-01-13 10:53 UTC by Martin Prpič
Modified: 2019-09-29 13:26 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the fix for CVE-2014-9493 was incomplete: an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.
Clone Of:
Environment:
Last Closed: 2015-02-19 21:58:02 UTC


Attachments (Terms of Use)

Description Martin Prpič 2015-01-13 10:53:25 UTC
Title: Glance v2 API unrestricted path traversal through filesystem:// scheme
Reporter: Jin Liu (EMC)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1

Description:
Jin Liu from EMC reported that path traversal vulnerabilities in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

References:
https://launchpad.net/bugs/1408663

Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Jin Liu of EMC as the original reporter.

Comment 1 Martin Prpič 2015-01-13 10:55:03 UTC
CVE request: http://seclists.org/oss-sec/2015/q1/124

Comment 4 Garth Mollett 2015-02-19 21:56:09 UTC
Statement:

The fix for CVE-2014-9493 is complete and openstack-glance for Red Hat Enterprise Linux Open Stack Platform 4.0 and 5.0 is not affected by this issue.

This issue did not affect the version of openstack-glance as shipped with Red Hat Enterprise Linux Open Stack Platform 6.0.


Note You need to log in before you can comment on or make changes to this bug.