Re: [OSSA 2015-002] Glance v2 API unrestricted path traversal through filesystem:// scheme

[cve-assign () mitre org]

On Thu, 15 Jan 2015, Tristan Cacqueray wrote:

> =====================================================================================
> OSSA-2015-002: Glance v2 API unrestricted path traversal through filesystem:// scheme
> =====================================================================================
>
> :Date: January 15, 2015
> :CVE: Requested
>
>
> Affects
> ~~~~~~~
> - Glance: up to 2014.1.3 and 2014.2 versions up to 2014.2.1
>
>
> Description
> ~~~~~~~~~~~
> Jin Liu from EMC reported that path traversal vulnerabilities in
> Glance were not fully patched in OSSA 2014-041. By setting a malicious
> image location to a filesystem:// scheme an authenticated user can
> still download or delete any file on the Glance server for which the
> Glance process user has access to. Only setups using the Glance V2 API
> are affected by this flaw.
>
>
> Patches
> ~~~~~~~
> - https://review.openstack.org/145974 (Icehouse)
> - https://review.openstack.org/145916 (Juno)
> - https://review.openstack.org/145640 (Kilo)
>
>
> Credits
> ~~~~~~~
> - Jin Liu from EMC
>
>
> References
> ~~~~~~~~~~
> - https://launchpad.net/bugs/1408663
>
>
> Notes
> ~~~~~
> - This fix was included in the kilo-1 development milestone and will be
>  included in future 2014.2.2 (juno) and 2014.1.4 (icehouse) releases.
> - The OpenStack VMT recommends revoking all credentials stored in files
>  accessible by Glance as a precautionary measure.
> - A CVE has been requested for this issue, the OpenStack VMT will issue an
>  errata with the correct CVE number assigned once this information is
>  available.
>
> --
> Tristan Cacqueray
> OpenStack Vulnerability Management Team

Use CVE-2015-1195.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]