Glance v2 API host file disclosure through qcow2 backing file (CVE-2015-5163)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
High
|
Mike Fedosin |
Bug Description
This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.
Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Products: Glance
Affects: 2015.1.0 versions through 2015.1.1
Description:
Eric Harney from Red Hat reported a vulnerability in Glance. By
importing a qcow2 image with a malicious backing file, an authenticated
user may mislead Glance import task action, resulting in the disclosure
of any file on the Glance server for which the Glance process user has
access to. Only setups using the Glance V2 API are affected by this flaw.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/kilo and master on the public disclosure date.
CVE: CVE-2015-5163
Changed in mos: | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public Security |
tags: | added: feature-security |
Fix committed in 7.0 - https:/ /review. fuel-infra. org/#/c/ 10717/