CVE 2015-5251
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
Related bugs and status
CVE-2015-5251 (Candidate) is related to these bugs:
Bug #1482371: [OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1482371 | [OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251) | Glance | Critical | Fix Released | ||
| 1482371 | [OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251) | OpenStack Security Advisory | Undecided | Fix Released | ||
| 1482371 | [OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251) | Glance juno | Undecided | Fix Released | ||
| 1482371 | [OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251) | Glance kilo | Undecided | Fix Released | ||
Bug #1496798: User can change image status directly with v1 API
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1496798 | User can change image status directly with v1 API | Mirantis OpenStack | Critical | Fix Released | ||
| 1496798 | User can change image status directly with v1 API | Mirantis OpenStack 6.1.x | Critical | Fix Released | ||
| 1496798 | User can change image status directly with v1 API | Mirantis OpenStack 8.0.x | Critical | Fix Released | ||
| 1496798 | User can change image status directly with v1 API | Mirantis OpenStack 7.0.x | Critical | Fix Released | ||
| 1496798 | User can change image status directly with v1 API | Mirantis OpenStack 5.1.x | Critical | Fix Released | ||
| 1496798 | User can change image status directly with v1 API | Mirantis OpenStack 6.0.x | Critical | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
