ID CVE-2012-4573 Type cve Reporter NVD Modified 2017-08-28T21:32:19
Description
The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482.
{"nessus": [{"lastseen": "2019-01-16T20:15:03", "bulletinFamily": "scanner", "description": "USN-1626-1 fixed vulnerabilities in the v1 API of Glance. This update\nprovides the corresponding updates for the v2 API.\n\nGabe Westmaas discovered that Glance did not always properly enforce\naccess controls when deleting images. An authenticated user could\ndelete arbitrary images by using the v1 API under certain\ncircumstances.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-12-01T00:00:00", "published": "2012-11-12T00:00:00", "id": "UBUNTU_USN-1626-2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=62888", "title": "Ubuntu 12.10 : glance vulnerability (USN-1626-2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1626-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62888);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:07\");\n\n script_cve_id(\"CVE-2012-4573\");\n script_bugtraq_id(56437);\n script_xref(name:\"USN\", value:\"1626-2\");\n\n script_name(english:\"Ubuntu 12.10 : glance vulnerability (USN-1626-2)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-1626-1 fixed vulnerabilities in the v1 API of Glance. This update\nprovides the corresponding updates for the v2 API.\n\nGabe Westmaas discovered that Glance did not always properly enforce\naccess controls when deleting images. An authenticated user could\ndelete arbitrary images by using the v1 API under certain\ncircumstances.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1626-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-glance package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-glance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/11/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2012-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.10\", pkgname:\"python-glance\", pkgver:\"2012.2-0ubuntu2.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-glance\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:15:03", "bulletinFamily": "scanner", "description": "Gabe Westmaas discovered that Glance did not always properly enforce\naccess controls when deleting images. An authenticated user could\ndelete arbitrary images by using the v1 API under certain\ncircumstances.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-12-01T00:00:00", "published": "2012-11-09T00:00:00", "id": "UBUNTU_USN-1626-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=62868", "title": "Ubuntu 12.04 LTS / 12.10 : glance vulnerability (USN-1626-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1626-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62868);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/12/01 13:19:07\");\n\n script_cve_id(\"CVE-2012-4573\");\n script_xref(name:\"USN\", value:\"1626-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 12.10 : glance vulnerability (USN-1626-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Gabe Westmaas discovered that Glance did not always properly enforce\naccess controls when deleting images. An authenticated user could\ndelete arbitrary images by using the v1 API under certain\ncircumstances.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1626-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-glance package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-glance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/11/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2012-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(12\\.04|12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"python-glance\", pkgver:\"2012.1.3+stable~20120821-120fcf-0ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"python-glance\", pkgver:\"2012.2-0ubuntu2.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-glance\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:15:05", "bulletinFamily": "scanner", "description": "- Fix Glance Authentication bypass for image deletion\n\n - Update to stable/essex 2012.1.2 including...\n\n - Support zero-size image creation via the v1 API\n\n - Allow admins to share images regardless of owner\n\n - Log sensitive store info, rather than exposing over\n API\n\n - Fix the qpid_heartbeat option to avoid connection\n timeouts\n\n - Fix image.upload notification to not send stale\n metadata\n\n - Include chunk_name in swift debug message\n\n - Fix scrubber exception when microsecs in DB\n (PostgreSQL) dates\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2015-10-20T00:00:00", "published": "2012-11-21T00:00:00", "id": "FEDORA_2012-18085.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=62978", "title": "Fedora 17 : openstack-glance-2012.1.2-2.fc17 (2012-18085)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-18085.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62978);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2015/10/20 22:34:53 $\");\n\n script_cve_id(\"CVE-2012-4573\", \"CVE-2012-5482\");\n script_bugtraq_id(56437);\n script_xref(name:\"FEDORA\", value:\"2012-18085\");\n\n script_name(english:\"Fedora 17 : openstack-glance-2012.1.2-2.fc17 (2012-18085)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fix Glance Authentication bypass for image deletion\n\n - Update to stable/essex 2012.1.2 including...\n\n - Support zero-size image creation via the v1 API\n\n - Allow admins to share images regardless of owner\n\n - Log sensitive store info, rather than exposing over\n API\n\n - Fix the qpid_heartbeat option to avoid connection\n timeouts\n\n - Fix image.upload notification to not send stale\n metadata\n\n - Include chunk_name in swift debug message\n\n - Fix scrubber exception when microsecs in DB\n (PostgreSQL) dates\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=874567\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-November/092604.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?af8951a7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openstack-glance package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openstack-glance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/11/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"openstack-glance-2012.1.2-2.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openstack-glance\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:15:04", "bulletinFamily": "scanner", "description": "- Fix Glance Authentication bypass for image deletion\n (CVE-2012-4573)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2015-10-20T00:00:00", "published": "2012-11-14T00:00:00", "id": "FEDORA_2012-17901.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=62914", "title": "Fedora 18 : openstack-glance-2012.2-3.fc18 (2012-17901)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-17901.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62914);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2015/10/20 22:34:53 $\");\n\n script_cve_id(\"CVE-2012-4573\", \"CVE-2012-5482\");\n script_bugtraq_id(56437);\n script_xref(name:\"FEDORA\", value:\"2012-17901\");\n\n script_name(english:\"Fedora 18 : openstack-glance-2012.2-3.fc18 (2012-17901)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fix Glance Authentication bypass for image deletion\n (CVE-2012-4573)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=872302\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-November/092192.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4dd2797c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openstack-glance package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openstack-glance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/11/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"openstack-glance-2012.2-3.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openstack-glance\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-12-04T11:20:28", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1626-1", "modified": "2017-12-01T00:00:00", "published": "2012-11-09T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=841210", "id": "OPENVAS:841210", "title": "Ubuntu Update for glance USN-1626-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1626_1.nasl 7960 2017-12-01 06:58:16Z santu $\n#\n# Ubuntu Update for glance USN-1626-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Gabe Westmaas discovered that Glance did not always properly enforce access\n controls when deleting images. An authenticated user could delete arbitrary\n images by using the v1 API under certain circumstances.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1626-1\";\ntag_affected = \"glance on Ubuntu 12.10 ,\n Ubuntu 12.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1626-1/\");\n script_id(841210);\n script_version(\"$Revision: 7960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:58:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-11-09 09:34:31 +0530 (Fri, 09 Nov 2012)\");\n script_cve_id(\"CVE-2012-4573\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n script_xref(name: \"USN\", value: \"1626-1\");\n script_name(\"Ubuntu Update for glance USN-1626-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"2012.1.3+stable~20120821-120fcf-0ubuntu1.2\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"2012.2-0ubuntu2.2\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:59:28", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1626-2", "modified": "2018-08-17T00:00:00", "published": "2012-11-15T00:00:00", "id": "OPENVAS:1361412562310841214", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841214", "title": "Ubuntu Update for glance USN-1626-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1626_2.nasl 11037 2018-08-17 11:51:16Z cfischer $\n#\n# Ubuntu Update for glance USN-1626-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\n\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1626-2/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841214\");\n script_version(\"$Revision: 11037 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-17 13:51:16 +0200 (Fri, 17 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-11-15 11:49:23 +0530 (Thu, 15 Nov 2012)\");\n script_cve_id(\"CVE-2012-4573\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n script_xref(name:\"USN\", value:\"1626-2\");\n script_name(\"Ubuntu Update for glance USN-1626-2\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.10\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1626-2\");\n script_tag(name:\"affected\", value:\"glance on Ubuntu 12.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"USN-1626-1 fixed vulnerabilities in the v1 API of Glance. This update\n provides the corresponding updates for the v2 API.\n\n Original advisory details:\n\n Gabe Westmaas discovered that Glance did not always properly enforce access\n controls when deleting images. An authenticated user could delete arbitrary\n images by using the v1 API under certain circumstances.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"2012.2-0ubuntu2.3\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-04T11:19:48", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1626-2", "modified": "2017-12-01T00:00:00", "published": "2012-11-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=841214", "id": "OPENVAS:841214", "title": "Ubuntu Update for glance USN-1626-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1626_2.nasl 7960 2017-12-01 06:58:16Z santu $\n#\n# Ubuntu Update for glance USN-1626-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"USN-1626-1 fixed vulnerabilities in the v1 API of Glance. This update\n provides the corresponding updates for the v2 API.\n\n Original advisory details:\n \n Gabe Westmaas discovered that Glance did not always properly enforce access\n controls when deleting images. An authenticated user could delete arbitrary\n images by using the v1 API under certain circumstances.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1626-2\";\ntag_affected = \"glance on Ubuntu 12.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1626-2/\");\n script_id(841214);\n script_version(\"$Revision: 7960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:58:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-11-15 11:49:23 +0530 (Thu, 15 Nov 2012)\");\n script_cve_id(\"CVE-2012-4573\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n script_xref(name: \"USN\", value: \"1626-2\");\n script_name(\"Ubuntu Update for glance USN-1626-2\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"2012.2-0ubuntu2.3\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:59:02", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1626-1", "modified": "2018-08-17T00:00:00", "published": "2012-11-09T00:00:00", "id": "OPENVAS:1361412562310841210", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841210", "title": "Ubuntu Update for glance USN-1626-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1626_1.nasl 11037 2018-08-17 11:51:16Z cfischer $\n#\n# Ubuntu Update for glance USN-1626-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\n\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1626-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841210\");\n script_version(\"$Revision: 11037 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-17 13:51:16 +0200 (Fri, 17 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-11-09 09:34:31 +0530 (Fri, 09 Nov 2012)\");\n script_cve_id(\"CVE-2012-4573\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n script_xref(name:\"USN\", value:\"1626-1\");\n script_name(\"Ubuntu Update for glance USN-1626-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(12\\.04 LTS|12\\.10)\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1626-1\");\n script_tag(name:\"affected\", value:\"glance on Ubuntu 12.10,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Gabe Westmaas discovered that Glance did not always properly enforce access\n controls when deleting images. An authenticated user could delete arbitrary\n images by using the v1 API under certain circumstances.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"2012.1.3+stable~20120821-120fcf-0ubuntu1.2\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"2012.2-0ubuntu2.2\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:59:30", "bulletinFamily": "scanner", "description": "Check for the Version of openstack-glance", "modified": "2018-04-06T00:00:00", "published": "2012-11-23T00:00:00", "id": "OPENVAS:1361412562310864884", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864884", "title": "Fedora Update for openstack-glance FEDORA-2012-18085", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openstack-glance FEDORA-2012-18085\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenStack Image Service (code-named Glance) provides discovery, registration,\n and delivery services for virtual disk images. The Image Service API server\n provides a standard REST interface for querying information about virtual disk\n images stored in a variety of back-end stores, including OpenStack Object\n Storage. Clients can register new virtual disk images with the Image Service,\n query for information on publicly available disk images, and use the Image\n Service's client library for streaming virtual disk images.\n\n This package contains the API and registry servers.\";\n\ntag_affected = \"openstack-glance on Fedora 17\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092604.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864884\");\n script_version(\"$Revision: 9352 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:13:02 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-11-23 11:35:28 +0530 (Fri, 23 Nov 2012)\");\n script_cve_id(\"CVE-2012-4573\", \"CVE-2012-5482\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-18085\");\n script_name(\"Fedora Update for openstack-glance FEDORA-2012-18085\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of openstack-glance\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"openstack-glance\", rpm:\"openstack-glance~2012.1.2~2.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-06T13:06:59", "bulletinFamily": "scanner", "description": "Check for the Version of openstack-glance", "modified": "2018-01-05T00:00:00", "published": "2012-11-23T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=864884", "id": "OPENVAS:864884", "title": "Fedora Update for openstack-glance FEDORA-2012-18085", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openstack-glance FEDORA-2012-18085\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenStack Image Service (code-named Glance) provides discovery, registration,\n and delivery services for virtual disk images. The Image Service API server\n provides a standard REST interface for querying information about virtual disk\n images stored in a variety of back-end stores, including OpenStack Object\n Storage. Clients can register new virtual disk images with the Image Service,\n query for information on publicly available disk images, and use the Image\n Service's client library for streaming virtual disk images.\n\n This package contains the API and registry servers.\";\n\ntag_affected = \"openstack-glance on Fedora 17\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092604.html\");\n script_id(864884);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-11-23 11:35:28 +0530 (Fri, 23 Nov 2012)\");\n script_cve_id(\"CVE-2012-4573\", \"CVE-2012-5482\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-18085\");\n script_name(\"Fedora Update for openstack-glance FEDORA-2012-18085\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of openstack-glance\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"openstack-glance\", rpm:\"openstack-glance~2012.1.2~2.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:49", "bulletinFamily": "software", "description": "Insufficient access control validation.", "modified": "2012-11-09T00:00:00", "published": "2012-11-09T00:00:00", "id": "SECURITYVULNS:VULN:12706", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12706", "title": "Glance unauthorized images deletion", "type": "securityvulns", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "description": "\r\n\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-1626-1\r\nNovember 08, 2012\r\n\r\nglance vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 12.10\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nGlance could be made to delete arbitrary images.\r\n\r\nSoftware Description:\r\n- glance: OpenStack Image Registry and Delivery Service\r\n\r\nDetails:\r\n\r\nGabe Westmaas discovered that Glance did not always properly enforce access\r\ncontrols when deleting images. An authenticated user could delete arbitrary\r\nimages by using the v1 API under certain circumstances.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 12.10:\r\n python-glance 2012.2-0ubuntu2.2\r\n\r\nUbuntu 12.04 LTS:\r\n python-glance 2012.1.3+stable~20120821-120fcf-0ubuntu1.2\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-1626-1\r\n CVE-2012-4573\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/glance/2012.2-0ubuntu2.2\r\n\r\nhttps://launchpad.net/ubuntu/+source/glance/2012.1.3+stable~20120821-120fcf-0ubuntu1.2\r\n\r\n\r\n", "modified": "2012-11-09T00:00:00", "published": "2012-11-09T00:00:00", "id": "SECURITYVULNS:DOC:28747", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28747", "title": "[USN-1626-1] Glance vulnerability", "type": "securityvulns", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:50:35", "bulletinFamily": "unix", "description": "OpenStack glance had a bug where image deletion was allowed\n for all logged in users (CVE-2012-4573). This has been\n fixed.\n", "modified": "2012-11-08T18:08:45", "published": "2012-11-08T18:08:45", "id": "SUSE-SU-2012:1455-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00002.html", "title": "Security update for openstack-glance (important)", "type": "suse", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:10:18", "bulletinFamily": "unix", "description": "Gabe Westmaas discovered that Glance did not always properly enforce access controls when deleting images. An authenticated user could delete arbitrary images by using the v1 API under certain circumstances.", "modified": "2012-11-08T00:00:00", "published": "2012-11-08T00:00:00", "id": "USN-1626-1", "href": "https://usn.ubuntu.com/1626-1/", "title": "Glance vulnerability", "type": "ubuntu", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:38", "bulletinFamily": "unix", "description": "USN-1626-1 fixed vulnerabilities in the v1 API of Glance. This update provides the corresponding updates for the v2 API.\n\nOriginal advisory details:\n\nGabe Westmaas discovered that Glance did not always properly enforce access controls when deleting images. An authenticated user could delete arbitrary images by using the v1 API under certain circumstances.", "modified": "2012-11-09T00:00:00", "published": "2012-11-09T00:00:00", "id": "USN-1626-2", "href": "https://usn.ubuntu.com/1626-2/", "title": "Glance vulnerability", "type": "ubuntu", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-12-11T17:42:22", "bulletinFamily": "unix", "description": "The openstack-glance packages allows virtual machine images to be discovered,\nregistered and retrieved. It also includes a RESTful API to provide these\nservices to other applications.\n\nThe openstack-glance packages have been upgraded to upstream version 2012.1.2,\nwhich provide a number of bug fixes and enhancements over the previous version.\n\nA flaw in Keystone allowed an attacker with access to the web and network \ninterfaces to delete arbitrary, non-protected images from Glance servers. \n(CVE-2012-4573) \n\nRed Hat would like to thank the OpenStack project for reporting this\nissue. Upstream acknowledges Gabe Westmaas as the original reporter of\nCVE-2012-4573.\n\nAll users of openstack-glance are advised to upgrade to these updated packages,\nwhich fix these bugs and add these enhancements. After installing the updated\npackages, the Glance services (openstack-glance-api and\nopenstack-glance-registry) will be restarted automatically.\n", "modified": "2018-04-11T16:12:55", "published": "2012-12-10T05:00:00", "id": "RHSA-2012:1558", "href": "https://access.redhat.com/errata/RHSA-2012:1558", "type": "redhat", "title": "(RHSA-2012:1558) Low: openstack-glance security update", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:PARTIAL/"}}]}
