Information disclosure in Amazon S3_store

CVE-2013-1840

The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials v…

Vulnerability class: Information Disclosure

EPSS: 0.003 (57.3th percentile) — read the EPSS interpretation.

Affected products

Amazon S3_store
Openstack Essex — versions 2012.1
Openstack Folsom — versions 2012.2
Openstack Glance — versions v1
Openstack Swift
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

openstack-glance-api-info-disclosure(82878) (vdb-entry, x_refsource_XF)
secalert@redhat.com (x_refsource_CONFIRM)
USN-1764-1 (x_refsource_UBUNTU, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_CONFIRM)
52565 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
RHSA-2013:0707 (x_refsource_REDHAT, vendor-advisory)
91304 (x_refsource_OSVDB, vdb-entry)
[oss-security] 20130314 [OSSA 2013-007] Backend credentials leak in Glance v1 API (CVE-2013-1840) (mailing-list, x_refsource_MLIST)
58490 (vdb-entry, x_refsource_BID)