Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 3 Jan 2015 19:01:27 -0500 (EST)
From: cve-assign@...re.org
To: Grant Murphy <grant.murphy@...com>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: [grant.murphy@...com: CVE request
 for vulnerability in OpenStack Glance]


>> A vulnerability was discovered in OpenStack (see below). In order to 
>> ensure full traceability, we need a CVE number assigned that we can 
>> attach to further notifications. This issue is already public, although 
>> an advisory was not sent yet.
>>
>> Title: Glance v2 API unrestricted path traversal
>> Reporter: Masahito Muroi (NTT)
>> Products: Glance
>> Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1
>>
>> Description: Masahito Muroi from NTT reported a vulnerability in 
>> Glance. By setting a malicious image location an authenticated user can 
>> download or delete any file on the Glance server for which the Glance 
>> process user has access to. Only setups using the Glance V2 API are 
>> affected by this flaw.
>>
>> References:
>> https://launchpad.net/bugs/1400966

Use CVE-2014-9493.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ