User can change image status directly with v1 API
Bug #1496798 reported by
Mike Fedosin
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
Critical
|
Mike Fedosin | ||
5.1.x |
Fix Released
|
Critical
|
Sergii Rizvan | ||
6.0.x |
Fix Released
|
Critical
|
Sergii Rizvan | ||
6.1.x |
Fix Released
|
Critical
|
Sergii Rizvan | ||
7.0.x |
Fix Released
|
Critical
|
Mike Fedosin | ||
8.0.x |
Fix Released
|
Critical
|
Mike Fedosin |
Bug Description
This issue was found in upstream and I think we have to fix it asap:
"By submitting a HTTP PUT request with a
'x-image-
status of their images. A malicious tenant may exploit this
flaw to reactivate disabled images, bypass storage quotas and
in some cases replace image contents. Setups using the Glance
v1 API allow the illegal modification of image status. Setups
which also use the v2 API may allow a subsequent re-upload of
image contents."
There is a patch for upstream Kilo, patch for MOS 7.0 will be done today.
CVE References
Changed in mos: | |
status: | New → Confirmed |
information type: | Private Security → Public Security |
tags: | added: glance |
tags: | added: on-automation |
tags: | added: feature-security |
To post a comment you must log in.
https:/ /review. fuel-infra. org/#/c/ 11735/