OSSA-2013-007: Backend credentials leak in Glance v1 API

OSSA-2013-007: Backend credentials leak in Glance v1 API¶

Date:: March 14, 2013
CVE:: CVE-2013-1840

Affects¶

Glance: All versions

Description¶

Stuart McLaren from HP reported a vulnerability in the information potentially returned to the user in Glance v1 API. If an authenticated user requests, through the v1 API, an image that is already cached, the headers returned may disclose the Glance operator’s backend credentials for that endpoint. Only setups accepting the Glance v1 API and using either the single-tenant Swift store or S3 store are affected.

Patches¶

https://review.openstack.org/#/c/24439 (Essex)
https://review.openstack.org/#/c/24438 (Folsom)
https://review.openstack.org/#/c/24437 (Grizzly)

Credits¶

Stuart McLaren from HP (CVE-2013-1840)

References¶

this page last updated: 2024-03-18 15:52:07

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.