Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-1195

Опубликовано: 12 янв. 2015
Источник: redhat
CVSS2: 5.5
EPSS Низкий

Описание

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.

It was discovered that the fix for CVE-2014-9493 was incomplete: an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.

Отчет

The fix for CVE-2014-9493 is complete and openstack-glance for Red Hat Enterprise Linux Open Stack Platform 4.0 and 5.0 is not affected by this issue. This issue did not affect the version of openstack-glance as shipped with Red Hat Enterprise Linux Open Stack Platform 6.0.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)openstack-glanceNot affected
Red Hat Enterprise Linux OpenStack Platform 6 (Juno)openstack-glanceNot affected
Red Hat OpenStack Platform 4openstack-glanceNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=1181533openstack-glance: unrestricted path traversal flaw (incomplete fix for CVE-2014-9493) (OSSA 2015-002)

EPSS

Процентиль: 78%
0.01105
Низкий

5.5 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2015-1195

ubuntu
около 11 лет назад

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.

nvd логотип

CVE-2015-1195

nvd
около 11 лет назад

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.

debian логотип

CVE-2015-1195

debian
около 11 лет назад

The V2 API in OpenStack Image Registry and Delivery Service (Glance) b ...

github логотип

GHSA-pwrj-f53c-f89j

github
больше 3 лет назад

OpenStack Glance v2 API unrestricted path traversal through filesystem:// scheme

EPSS

Процентиль: 78%
0.01105
Низкий

5.5 Medium

CVSS2