Comment 9 for bug 1235378
Revision history for this message
| Thierry Carrez (ttx) wrote Re: 'image_download' role in v2 causes traceback | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
That's Grizzly/Havana only, right ? here is my attempt to an impact description:
===
Title: Glance image_download policy not enforced for cached images
Reporter: Stuart McLaren (HP)
Products: Glance
Affects: Grizzly and later
Description:
Stuart McLaren from HP reported a vulnerability in Glance download_image policy enforcement in the case of cached images. Deployers may opt to set a download_image policy to restrict image download to specific roles. However, when an image is previously cached by an authorized download, any authenticated user could download image contents if it can guess the image UUID, bypassing any download_image policy restrictions. This could result in disclosure of image contents that were thought to be protected by the download_image policy setting. Only setups making use of the download_image policy are affected.