Comment 21 for bug 1482371
Revision history for this message
| Grant Murphy (gmurphy) wrote Re: Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 | #21 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Please review this impact description for correctness. I will use it to request a CVE for this issue once I've verified that it is accurate.
Title: Glance v1 API image status manipulation
Reporter: Hemanth Makkapati (Rackspace)
Products: Glance
Affects: all 2013.2 and 2014.1 versions, 2014.2 versions through 2014.2.3,
and 2015.1 versions through 2015.1.1
Description:
Hemanth Makkapati of Rackspace reported a vulnerability in Glance. By submitting
a HTTP PUT request with a 'x-image-
manipulate the status of public images without requiring administrative
privileges. This may allow an attacker to reactivate a malicious images that
was disabled by an administrator, potentially impacting other tenants. Only setups
using the Glance v1 API are affected by this flaw.