Re: [grant.murphy () hp com: [oss-security] CVE request for vulnerability in OpenStack Glance]

[cve-assign () mitre org]

> > A vulnerability was discovered in OpenStack (see below). In order to 
> > ensure full traceability, we need a CVE number assigned that we can 
> > attach to further notifications. This issue is already public, although 
> > an advisory was not sent yet.
> >
> > Title: Glance v2 API unrestricted path traversal
> > Reporter: Masahito Muroi (NTT)
> > Products: Glance
> > Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1
> >
> > Description: Masahito Muroi from NTT reported a vulnerability in 
> > Glance. By setting a malicious image location an authenticated user can 
> > download or delete any file on the Glance server for which the Glance 
> > process user has access to. Only setups using the Glance V2 API are 
> > affected by this flaw.
> >
> > References:
> > https://launchpad.net/bugs/1400966

Use CVE-2014-9493.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]