Information disclosure in Openstack Glance

CVE-2015-5163

The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.

Vulnerability class: Information Disclosure

EPSS: 0.003 (51.4th percentile) — read the EPSS interpretation.

Affected products

Openstack Glance — versions 2015.1.0, 2015.1.1
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

RHSA-2015:1639 (x_refsource_REDHAT, vendor-advisory)
[openstack-announce] 20150813 [OSSA 2015-014] Glance v2 API host file disclosure through qcow2 backing file (CVE-2015-5163) (mailing-list, x_refsource_MLIST)
76346 (vdb-entry, x_refsource_BID)
secalert@redhat.com (x_refsource_CONFIRM)