[OSSA 2013-007] Backend credentials leak in Glance v1 API (CVE-2013-1840)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-007 CVE: CVE-2013-1840 Date: March 14, 2013 Title: Backend credentials leak in Glance v1 API Reporter: Stuart McLaren (HP) Products: Glance Affects: All versions Description: Stuart McLaren from HP reported a vulnerability in the information potentially returned to the user in Glance v1 API. If an authenticated user requests, through the v1 API, an image that is already cached, the headers returned may disclose the Glance operator's backend credentials for that endpoint. Only setups accepting the Glance v1 API and using either the single-tenant Swift store or S3 store are affected. Grizzly (development branch) fix: https://review.openstack.org/24437 Folsom fix: https://review.openstack.org/24438 Essex fix: https://review.openstack.org/24439 References: https://bugs.launchpad.net/glance/+bug/1135541 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1840 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRQfdoAAoJEFB6+JAlsQQj0g4QAL+tmSjDHukvwPZ1D72ClLIR NKV9ceVNT+qus1W5Og2GOKjnrib8X4qkoR/P/Wp+nEoWYosch4YTMvpxc8hamm9P OohMdT4RFxQut//ZR6sn/TC2qLgErovlZRMxBKA43sFqHNbirprF5b9A4fF7glp6 atPAAM7rIHTJDXHvE+a8Qe8qOPKJKP1pOXrSZDL94ZMPq6uAy/0M0v/r/++aAUHy Qr7p2ITuVepJ3IM9/sZ+RQ1PXFya0BGBpLBEgaotBmmOMI/FNbthS3PT8W1ywX0S gpgcBLiXMXoNsMZCmsLeYirzldaT+ZtqjOxYqZYiAjn5cIQ5XXjFPq8w9vlh83An 8IVnanVl4C1M4hnYo3sCeFsCnh5sLdM/LVnd19Wz1k1PHTCM7vrNtU0wqAMQFj2C BQqNMMcQvFZdEjvzYymlm365DP07DHOi/jgK59EWCfeaEHx4Vs4fL0a9nnoxs/fV 8SysPv4A3iAaXDOan+0s+T0dac2/KU2FBio0+cuvV4qASYWN5CHAR9/6icWJQ2qh InUWIqcgwcOqR6azhQHg/ARw7iNZtv+omVvVOYZu6HOiK4BDj8RkQmPyWsis/ekU 4Ez6AyKSDmRHtoR9w7GcM14xCrHyqFfbaGUp+qDI73NNGmbXXtXlVEO8/g2ywbKc F0k3S2Z5fLOPFeo9ll4C =BmKh -----END PGP SIGNATURE-----
participants (1)
-
Thierry Carrez