[OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted in the v2 api
Bug #1076506 reported by
Mark Washenberger
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Glance |
Fix Released
|
Critical
|
Mark Washenberger | ||
| Folsom |
Fix Released
|
Critical
|
Mark Washenberger | ||
| Grizzly |
Fix Released
|
Critical
|
Mark Washenberger | ||
| OpenStack Security Advisory |
Fix Released
|
Undecided
|
Russell Bryant | ||
| glance (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
It appears that bug #1065187 also affects the v2 api. From the previous description:
Given a public, non-protected image, a non-admin user can issue a delete against that image which may delete the image from the backend storage repository. The client will get a 403 unauthorized response, but the backend delete method is called prior to checking for those permissions on the glance registry.
Related branches
lp:~gandelman-a/ubuntu/quantal/glance/2012.2.1
- Openstack Ubuntu Testers: Pending requested
-
Diff: 86 lines (+55/-2)2 files modifieddebian/changelog (+53/-1)
debian/control (+2/-1)
CVE References
| Changed in glance: | |
| milestone: | none → grizzly-1 |
| importance: | Undecided → Critical |
| Changed in glance: | |
| status: | Fix Committed → Fix Released |
| Changed in glance (Ubuntu): | |
| status: | New → Fix Released |
| Changed in glance (Ubuntu Quantal): | |
| status: | New → Confirmed |
| tags: | removed: in-stable-folsom |
| summary: |
- Non-admin users can cause public glance images to be deleted from the - backend storage repository in the v2 api + [OSSA-2012-017] Non-admin users can cause public glance images to be + deleted from the backend storage repository in the v2 api |
| Changed in ossa: | |
| assignee: | nobody → Russell Bryant (russellb) |
| status: | New → Fix Released |
| summary: |
- [OSSA-2012-017] Non-admin users can cause public glance images to be + [OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api |
| summary: |
[OSSA-2012-017.1] Non-admin users can cause public glance images to be - deleted from the backend storage repository in the v2 api + deleted in the v2 api |
To post a comment you must log in.

Here's a fix!