OpenStack Security Advisory

  1. Bug #1482371
  2. Comment #32

Comment 32 for bug 1482371

Revision history for this message
Grant Murphy (gmurphy) wrote : Re: Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1

Ok. How about this? Cover all the cases above?

Title: Glance v1 API image status manipulation
Reporter: Hemanth Makkapati (Rackspace)
Products: Glance
Affects: all 2013.2 and 2014.1 versions, 2014.2 versions through 2014.2.3,
          and 2015.1 versions through 2015.1.1

Description:
Hemanth Makkapati of Rackspace reported a vulnerability in Glance. By submitting a HTTP PUT request with a 'x-image-meta-status' header, a tenant can manipulate the status of their images. A malicious tenant may exploit this flaw to reactivate disabled images, bypass storage quotas and in some cases replace image contents. Setups using the Glance v1 API allow the illegal modification of image status. Setups which also use the v2 API may allow a subsequent re-upload of image contents.