Lucene search

GitHub Advisory DatabaseGHSA-WMHW-FVG9-87FC

HistoryMay 17, 2022 - 2:52 a.m.

OpenStack Glance Signature Verification Bypass

2022-05-1702:52:21

CWE-328

GitHub Advisory Database

github.com

openstack

glance

signature verification

bypass

md5 collision

software

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

69.1%

JSON

The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision.

Affected configurations

Vulners

Node

glance_projectglanceRange≤11.0.0

VendorProductVersionCPE
glance_projectglance*cpe:2.3:a:glance_project:glance:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
glance_project	glance	*	cpe:2.3:a:glance_project:glance::::::::

References

bugs.launchpad.net/glance/+bug/1516031

github.com/advisories/GHSA-wmhw-fvg9-87fc

nvd.nist.gov/vuln/detail/CVE-2015-8234

seclists.org/oss-sec/2015/q4/303

wiki.openstack.org/wiki/OSSN/OSSN-0061

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

69.1%

JSON

Related for GHSA-WMHW-FVG9-87FC