OSSA-2014-012: Remote code execution in Glance Sheepdog backend

OSSA-2014-012: Remote code execution in Glance Sheepdog backend

Date:April 10, 2014
CVE:CVE-2014-0162

Affects

  • Glance: from 2013.2 to 2013.2.3

Description

Paul McMillan from Nebula reported a vulnerability in Glance Sheepdog backend. By using a specially crafted location, a user allowed to insert or modify Glance image metadata may trigger code execution on the Glance host as the user the Glance service runs under. This may result in Glance host unauthorized access and further compromise of the Glance service. All setups using Glance server with the (enabled by default) sheepdog backend are affected.

Credits

  • Paul McMillan from Nebula (CVE-2014-0162)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.