Please review this impact description for correctness. I will use it to request a CVE for this issue once I've verified that it is accurate.
Title: Glance v1 API image status manipulation
Reporter: Hemanth Makkapati (Rackspace)
Products: Glance
Affects: all 2013.2 and 2014.1 versions, 2014.2 versions through 2014.2.3,
and 2015.1 versions through 2015.1.1
Description:
Hemanth Makkapati of Rackspace reported a vulnerability in Glance. By submitting
a HTTP PUT request with a 'x-image-meta-status' header, a malicious tenant can
manipulate the status of public images without requiring administrative
privileges. This may allow an attacker to reactivate a malicious images that
was disabled by an administrator, potentially impacting other tenants. Only setups
using the Glance v1 API are affected by this flaw.
Please review this impact description for correctness. I will use it to request a CVE for this issue once I've verified that it is accurate.
Title: Glance v1 API image status manipulation
Reporter: Hemanth Makkapati (Rackspace)
Products: Glance
Affects: all 2013.2 and 2014.1 versions, 2014.2 versions through 2014.2.3,
and 2015.1 versions through 2015.1.1
Description: meta-status' header, a malicious tenant can
Hemanth Makkapati of Rackspace reported a vulnerability in Glance. By submitting
a HTTP PUT request with a 'x-image-
manipulate the status of public images without requiring administrative
privileges. This may allow an attacker to reactivate a malicious images that
was disabled by an administrator, potentially impacting other tenants. Only setups
using the Glance v1 API are affected by this flaw.