OSSA-2015-014: Glance v2 API host file disclosure through qcow2 backing file

OSSA-2015-014: Glance v2 API host file disclosure through qcow2 backing file¶

Date:: August 13, 2015
CVE:: CVE-2015-5163

Affects¶

Glance: 2015.1 versions through 2015.1.1

Description¶

Eric Harney from Red Hat reported a vulnerability in Glance. By importing a qcow2 image with a malicious backing file, an authenticated user may mislead Glance import task action, resulting in the disclosure of any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

Patches¶

https://review.openstack.org/212568 (Kilo)
https://review.openstack.org/212567 (Liberty)

Credits¶

Eric Harney from Red Hat (CVE-2015-5163)

References¶

Notes¶

This fix will be included in the future 2015.1.2 (kilo) release.

this page last updated: 2024-03-18 15:52:07

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.