Launchpad CVE tracker

CVE 2015-1195

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.

Related bugs and status

CVE-2015-1195 (Candidate) is related to these bugs:

Bug #1514467: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)

		In	Importance	Status
1514467	[OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)	Mirantis OpenStack	Undecided	Invalid
1514467	[OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)	Mirantis OpenStack 5.1.x	Critical	Fix Released
1514467	[OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)	Mirantis OpenStack 6.0.x	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2015-1195

References