[Secure-testing-team] Bug#773836: glance: unrestricted path traversal flaw
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 23 20:47:46 UTC 2014
Source: glance
Version: 2014.1.3-5
Severity: serious
Tags: security upstream
Hi
Setting this to serious/RC since this probably should go as well to
jessie (please let me know if you disagree on severity). From [1]:
[1] http://www.openwall.com/lists/oss-security/2014/12/23/2
> Masahito Muroi from NTT reported a vulnerability in Glance. By setting
> a malicious image location an authenticated user can download or delete
> any file on the Glance server for which the Glance process user has
> access to. Only setups using the Glance V2 API are affected by this flaw.
More details are also on the Red Hat bugzilla entry[2].
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1174474
Regards,
Salvatore
More information about the Secure-testing-team
mailing list