Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 07 Nov 2012 17:10:07 -0500
From: Russell Bryant <>
Subject: [OSSA 2012-017] Authentication bypass for image deletion (CVE-2012-4573)

OpenStack Security Advisory: 2012-017
CVE: CVE-2012-4573
Date: November 7, 2012
Title: Authentication bypass for image deletion
Impact: High
Reporter: Gabe Westmaas (Rackspace)
Products: Glance
Affects: Essex, Folsom, Grizzly

Gabe Westmaas from Rackspace reported a vulnerability in Glance
authentication of image deletion requests. Authenticated users may be
able to delete arbitrary, non-protected images from Glance servers. Only
Folsom/Grizzly deployments that expose the v1 API are affected by this
vulnerability. Additionally, Essex deployments that use the
delayed_delete option are also affected.

2012.2 (Folsom):
2012.1 (Essex):


This fix will be included in the grizzly-1 development milestone and in
a future 2012.2 (Folsom) release.

Russell Bryant
OpenStack Vulnerability Management Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.