Date: Sun, 18 Jan 2015 15:00:32 -0500 (EST) From: cve-assign@...re.org To: Tristan Cacqueray <tristan.cacqueray@...vance.com> cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: CVE request for vulnerability in OpenStack Glance > A vulnerability was discovered in OpenStack (see below). In order to > ensure full traceability, we need a CVE number assigned that we can > attach to further notifications. This issue is already public, although an > advisory was not sent yet. > > Title: Glance user storage quota bypass > Reporter: Tushar Patil (NTT) > Products: Glance > Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1 > > Description: > Tushar Patil from NTT reported a vulnerability in Glance. By deleting images > that are being uploaded, a malicious user can overcome the storage quota and > thus may overrun the backend. Images in deleted state are not taken into > account by quota and won't be effectively deleted until the upload is > completed. Only Glance setups configured with user_storage_quota are > affected. > > References: > https://launchpad.net/bugs/1398830 > > Thanks in advance, > > -- > Tristan Cacqueray > OpenStack Vulnerability Management Team Use CVE-2014-9623. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ