OSSA-2012-017: Authentication bypass for image deletion

Date:November 07, 2012
CVE:CVE-2012-4573, CVE-2012-5482

Affects

  • Glance: Essex, Folsom, Grizzly

Description

Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. Only Folsom/Grizzly deployments that expose the v1 API are affected by this vulnerability. Additionally, Essex deployments that use the delayed_delete option are also affected.

Credits

  • Gabe Westmaas from Rackspace (CVE-2012-4573, CVE-2012-5482)