Glance allows users to download and delete any file in glance-api server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
Critical
|
Alexander Tivelkov | ||
4.1.x |
Won't Fix
|
Critical
|
MOS Glance | ||
5.0.x |
Won't Fix
|
Critical
|
MOS Glance | ||
5.1.x |
Fix Released
|
Critical
|
Denis Puchkin | ||
6.0.x |
Fix Released
|
Critical
|
Alexander Tivelkov | ||
6.1.x |
Fix Released
|
Critical
|
Alexander Tivelkov |
Bug Description
Updating image-location by update images API users can download any file for which glance-api has read permission.
And the file for which glance-api has write permission will be deleted when users delete the image.
For example:
When users specify '/etc/passwd' as locations value of an image user can get the file by image download.
When locations of an image is set with 'file:/
How to reproduce the bug:
download files:
- set show_multiple_
- create a new image
- set locations of the image's property a path you want to get such as file:///etc/passwd.
- download the image
delete files:
- set show_multiple_
- create a new image
- set locations of the image's property a path you want to delete such as file://
- delete the image
upstream bug: https:/
CVE References
Changed in mos: | |
assignee: | nobody → MOS Glance (mos-glance) |
status: | Confirmed → In Progress |
description: | updated |
information type: | Public → Public Security |
tags: | added: feature-security |
RPM package glance has been built for project openstack/glance mira9.git. 416c9f6. 3babba9
Package version == 2014.2, package release == fuel6.0.
Changeset: https:/ /review. fuel-infra. org/1406 ci/fuel- 6.0/2014. 2
project: openstack/glance
branch: openstack-
author: Alexander Tivelkov
committer: Alexander Tivelkov
subject: To prevent client use v2 patch api to handle file and swift location
status: patchset-created
Files placed on repository: glance- 2014.2- fuel6.0. mira9.git. 416c9f6. 3babba9. noarch. rpm glance- doc-2014. 2-fuel6. 0.mira9. git.416c9f6. 3babba9. noarch. rpm glance- 2014.2- fuel6.0. mira9.git. 416c9f6. 3babba9. noarch. rpm
openstack-
openstack-
python-
NOTE: Changeset is not merged, created temporary package repository. osci-obs. vm.mirantis. net:82/ centos- fuel-6. 0-stable- 1406/centos
RPM repository URL: http://