[OSSA 2013-002] Backend password leak in Glance error message (CVE-2013-0212)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
OpenStack Security Advisory: 2013-002 CVE: CVE-2013-0212 Date: January 29, 2013 Title: Backend password leak in Glance error message Reporter: Dan Prince (Red Hat) Products: Glance Affects: All versions
Dan Prince of Red Hat discovered an issue in Glance error reporting. By creating an image in Glance by URL that references a mis-configured Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image references for any reason becomes unusable, an authenticated user may access the Glance operator's Swift credentials for that endpoint. Only setups that use the single-tenant Swift store are affected.
Grizzly (development branch) fix: http://github.com/openstack/glance/commit/e96273112b5b5da58d970796b7cfce04c5...
Folsom fix (included in upcoming Glance 2012.2.3 stable update): http://github.com/openstack/glance/commit/96a470be64adcef97f235ca96ed3c59ed9...
Essex fix: http://github.com/openstack/glance/commit/37d4d96bf88c2bf3e7e9511b5e321cf4be...
References: https://bugs.launchpad.net/glance/+bug/1098962 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0212
- -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team
participants (1)
-
Thierry Carrez