Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 18 Jan 2015 15:00:32 -0500 (EST)
From: cve-assign@...re.org
To: Tristan Cacqueray <tristan.cacqueray@...vance.com>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: CVE request for vulnerability in OpenStack Glance


> A vulnerability was discovered in OpenStack (see below). In order to
> ensure full traceability, we need a CVE number assigned that we can
> attach to further notifications. This issue is already public, although an
> advisory was not sent yet.
>
> Title: Glance user storage quota bypass
> Reporter: Tushar Patil (NTT)
> Products: Glance
> Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1
>
> Description:
> Tushar Patil from NTT reported a vulnerability in Glance. By deleting images
> that are being uploaded, a malicious user can overcome the storage quota and
> thus may overrun the backend. Images in deleted state are not taken into
> account by quota and won't be effectively deleted until the upload is
> completed. Only Glance setups configured with user_storage_quota are
> affected.
>
> References:
> https://launchpad.net/bugs/1398830
>
> Thanks in advance,
>
> -- 
> Tristan Cacqueray
> OpenStack Vulnerability Management Team

Use CVE-2014-9623.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ