[OSSA 2013-007] Backend credentials leak in Glance v1 API (CVE-2013-1840)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
OpenStack Security Advisory: 2013-007 CVE: CVE-2013-1840 Date: March 14, 2013 Title: Backend credentials leak in Glance v1 API Reporter: Stuart McLaren (HP) Products: Glance Affects: All versions
Description: Stuart McLaren from HP reported a vulnerability in the information potentially returned to the user in Glance v1 API. If an authenticated user requests, through the v1 API, an image that is already cached, the headers returned may disclose the Glance operator's backend credentials for that endpoint. Only setups accepting the Glance v1 API and using either the single-tenant Swift store or S3 store are affected.
Grizzly (development branch) fix: https://review.openstack.org/24437
Folsom fix: https://review.openstack.org/24438
Essex fix: https://review.openstack.org/24439
References: https://bugs.launchpad.net/glance/+bug/1135541 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1840
- -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team
participants (1)
-
Thierry Carrez