Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 07 Nov 2012 17:10:07 -0500
From: Russell Bryant <>
Subject: [OSSA 2012-017] Authentication bypass for image deletion (CVE-2012-4573)

OpenStack Security Advisory: 2012-017
CVE: CVE-2012-4573
Date: November 7, 2012
Title: Authentication bypass for image deletion
Impact: High
Reporter: Gabe Westmaas (Rackspace)
Products: Glance
Affects: Essex, Folsom, Grizzly

Gabe Westmaas from Rackspace reported a vulnerability in Glance
authentication of image deletion requests. Authenticated users may be
able to delete arbitrary, non-protected images from Glance servers. Only
Folsom/Grizzly deployments that expose the v1 API are affected by this
vulnerability. Additionally, Essex deployments that use the
delayed_delete option are also affected.

2012.2 (Folsom):
2012.1 (Essex):


This fix will be included in the grizzly-1 development milestone and in
a future 2012.2 (Folsom) release.

Russell Bryant
OpenStack Vulnerability Management Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ