Vulnerability in Openstack Image_registry_and_delivery_service_\(glance\)
CVE-2014-9493
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.
EPSS: 0.007 (73.5th percentile) — read the EPSS interpretation.
Affected products
- Openstack Image_registry_and_delivery_service_\(glance\)
- Redhat Openstack — versions 4.0, 5.0
- N/a — versions n/a
Weakness classification (CWE)
References
- RHSA-2015:0246 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
- cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory, Issue Tracking)
- cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
- 71688 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
- [openstack-announce] 20141223 [OSSA-2014-041] Glance v2 API unrestricted path traversal (Vendor Advisory, mailing-list, x_refsource_MLIST, Patch)
- cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)