ID SECURITYVULNS:DOC:29963 Type securityvulns Reporter Securityvulns Modified 2013-10-28T00:00:00
Description
==========================================================================
Ubuntu Security Notice USN-2003-1
October 23, 2013
glance vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 13.04
Ubuntu 12.10
Summary:
Glance could be made to expose sensitive information over the network
under certain circumstances.
Software Description:
- glance: OpenStack Image Registry and Delivery Service
Details:
Stuart McLaren discovered that Glance did not properly enforce the
'download_image' policy for cached images. An authenticated user could
exploit this to obtain sensitive information in an image protected by this
setting.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-glance 1:2013.1.3-0ubuntu1.1
Ubuntu 12.10:
python-glance 2012.2.4-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
{"id": "SECURITYVULNS:DOC:29963", "bulletinFamily": "software", "title": "[USN-2003-1] Glance vulnerability", "description": "\r\n\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2003-1\r\nOctober 23, 2013\r\n\r\nglance vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 13.04\r\n- Ubuntu 12.10\r\n\r\nSummary:\r\n\r\nGlance could be made to expose sensitive information over the network\r\nunder certain circumstances.\r\n\r\nSoftware Description:\r\n- glance: OpenStack Image Registry and Delivery Service\r\n\r\nDetails:\r\n\r\nStuart McLaren discovered that Glance did not properly enforce the\r\n'download_image' policy for cached images. An authenticated user could\r\nexploit this to obtain sensitive information in an image protected by this\r\nsetting.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 13.04:\r\n python-glance 1:2013.1.3-0ubuntu1.1\r\n\r\nUbuntu 12.10:\r\n python-glance 2012.2.4-0ubuntu1.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2003-1\r\n CVE-2013-4428\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/glance/1:2013.1.3-0ubuntu1.1\r\n https://launchpad.net/ubuntu/+source/glance/2012.2.4-0ubuntu1.1\r\n\r\n\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n", "published": "2013-10-28T00:00:00", "modified": "2013-10-28T00:00:00", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29963", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2013-4428"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:49", "edition": 1, "viewCount": 7, "enchantments": {"score": {"value": 6.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2013-4428"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2013-4428"]}, {"type": "nessus", "idList": ["UBUNTU_USN-2003-1.NASL"]}, {"type": "redhat", "idList": ["RHSA-2013:1525"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13374"]}, {"type": "ubuntu", "idList": ["USN-2003-1"]}]}, "exploitation": null, "vulnersScore": 6.0}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645269137}}
{"nessus": [{"lastseen": "2021-08-19T12:52:42", "description": "Stuart McLaren discovered that Glance did not properly enforce the 'download_image' policy for cached images. An authenticated user could exploit this to obtain sensitive information in an image protected by this setting.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2013-10-24T00:00:00", "type": "nessus", "title": "Ubuntu 12.10 / 13.04 : glance vulnerability (USN-2003-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4428"], "modified": "2019-09-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:python-glance", "cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/o:canonical:ubuntu_linux:13.04"], "id": "UBUNTU_USN-2003-1.NASL", "href": "https://www.tenable.com/plugins/nessus/70582", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2003-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70582);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/09/19 12:54:29\");\n\n script_cve_id(\"CVE-2013-4428\");\n script_bugtraq_id(63159);\n script_xref(name:\"USN\", value:\"2003-1\");\n\n script_name(english:\"Ubuntu 12.10 / 13.04 : glance vulnerability (USN-2003-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stuart McLaren discovered that Glance did not properly enforce the\n'download_image' policy for cached images. An authenticated user could\nexploit this to obtain sensitive information in an image protected by\nthis setting.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2003-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-glance package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-glance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:13.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.10|13\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.10 / 13.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.10\", pkgname:\"python-glance\", pkgver:\"2012.2.4-0ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"13.04\", pkgname:\"python-glance\", pkgver:\"1:2013.1.3-0ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-glance\");\n}\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2018-01-26T11:10:06", "description": "Check for the Version of glance", "cvss3": {}, "published": "2013-10-29T00:00:00", "type": "openvas", "title": "Ubuntu Update for glance USN-2003-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4428"], "modified": "2018-01-26T00:00:00", "id": "OPENVAS:841607", "href": "http://plugins.openvas.org/nasl.php?oid=841607", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2003_1.nasl 8542 2018-01-26 06:57:28Z teissa $\n#\n# Ubuntu Update for glance USN-2003-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841607);\n script_version(\"$Revision: 8542 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-26 07:57:28 +0100 (Fri, 26 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-29 16:59:11 +0530 (Tue, 29 Oct 2013)\");\n script_cve_id(\"CVE-2013-4428\");\n script_tag(name:\"cvss_base\", value:\"3.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:N/A:N\");\n script_name(\"Ubuntu Update for glance USN-2003-1\");\n\n tag_insight = \"Stuart McLaren discovered that Glance did not properly enforce the\n'download_image' policy for cached images. An authenticated user could\nexploit this to obtain sensitive information in an image protected by this\nsetting.\";\n\n tag_affected = \"glance on Ubuntu 13.04 ,\n Ubuntu 12.10\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"2003-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-2003-1/\");\n script_tag(name: \"summary\" , value: \"Check for the Version of glance\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"2012.2.4-0ubuntu1.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"1:2013.1.3-0ubuntu1.1\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:38:07", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2013-10-29T00:00:00", "type": "openvas", "title": "Ubuntu Update for glance USN-2003-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4428"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310841607", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841607", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2003_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for glance USN-2003-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841607\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-29 16:59:11 +0530 (Tue, 29 Oct 2013)\");\n script_cve_id(\"CVE-2013-4428\");\n script_tag(name:\"cvss_base\", value:\"3.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:N/A:N\");\n script_name(\"Ubuntu Update for glance USN-2003-1\");\n\n script_tag(name:\"affected\", value:\"glance on Ubuntu 13.04,\n Ubuntu 12.10\");\n script_tag(name:\"insight\", value:\"Stuart McLaren discovered that Glance did not properly enforce the\n'download_image' policy for cached images. An authenticated user could\nexploit this to obtain sensitive information in an image protected by this\nsetting.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2003-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2003-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'glance'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(12\\.10|13\\.04)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"2012.2.4-0ubuntu1.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-glance\", ver:\"1:2013.1.3-0ubuntu1.1\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:53:00", "description": "OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly\nbefore 2013.1.4, and Havana before 2013.2, when the download_image policy\nis configured, does not properly restrict access to cached images, which\nallows remote authenticated users to read otherwise restricted images via\nan image UUID.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/glance/+bug/1235378>\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726478>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | Essex (Ubuntu 12.04 LTS) does not have the download_image\n", "cvss3": {}, "published": "2013-10-16T00:00:00", "type": "ubuntucve", "title": "CVE-2013-4428", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4428"], "modified": "2013-10-16T00:00:00", "id": "UB:CVE-2013-4428", "href": "https://ubuntu.com/security/CVE-2013-4428", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2021-10-19T20:36:48", "description": "The openstack-glance packages provide a service (code name Glance) that\nacts as a registry for virtual machine images.\n\nA flaw was found in the Glance download_image policy enforcement for cached\nsystem images. When an image was previously cached by an authorized\ndownload, any authenticated user able to determine the image by its UUID\ncould download that image, bypassing the download_image policy. Only setups\nmaking use of the download_image policy were affected. (CVE-2013-4428)\n\nRed Hat would like to thank the OpenStack Project for reporting this\nissue. The OpenStack Project acknowledges Stuart McLaren from HP as the\noriginal reporter.\n\nThese updated openstack-glance packages have been upgraded to upstream\nversion 2013.1.4, which provides a number of bug fixes over the previous\nversion. (BZ#1021640)\n\nAll users of openstack-glance are advised to upgrade to these updated\npackages, which correct these issues. After installing the updated\npackages, the running Glance services must be manually restarted (using\n\"service [service name] restart\") for this update to take effect.\n", "cvss3": {}, "published": "2013-11-18T00:00:00", "type": "redhat", "title": "(RHSA-2013:1525) Moderate: openstack-glance security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4428"], "modified": "2018-06-09T10:17:33", "id": "RHSA-2013:1525", "href": "https://access.redhat.com/errata/RHSA-2013:1525", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}], "ubuntu": [{"lastseen": "2022-01-04T12:55:33", "description": "Stuart McLaren discovered that Glance did not properly enforce the \n'download_image' policy for cached images. An authenticated user could \nexploit this to obtain sensitive information in an image protected by this \nsetting.\n", "cvss3": {}, "published": "2013-10-23T00:00:00", "type": "ubuntu", "title": "Glance vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4428"], "modified": "2013-10-23T00:00:00", "id": "USN-2003-1", "href": "https://ubuntu.com/security/notices/USN-2003-1", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T13:36:26", "description": "OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.", "cvss3": {}, "published": "2013-10-27T00:55:00", "type": "cve", "title": "CVE-2013-4428", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4428"], "modified": "2018-11-15T19:34:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/a:openstack:glance:2013.2", "cpe:/o:canonical:ubuntu_linux:13.04", "cpe:/a:openstack:glance:2012.2.4"], "id": "CVE-2013-4428", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4428", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*", "cpe:2.3:a:openstack:glance:2013.2:milestone2:*:*:*:*:*:*", "cpe:2.3:a:openstack:glance:2012.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:openstack:glance:2013.2:milestone3:*:*:*:*:*:*", "cpe:2.3:a:openstack:glance:2013.2:milestone1:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*"]}], "debiancve": [{"lastseen": "2022-04-07T19:33:09", "description": "OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.", "cvss3": {}, "published": "2013-10-27T00:55:00", "type": "debiancve", "title": "CVE-2013-4428", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4428"], "modified": "2013-10-27T00:55:00", "id": "DEBIANCVE:CVE-2013-4428", "href": "https://security-tracker.debian.org/tracker/CVE-2013-4428", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2021-06-08T18:51:22", "description": "DoS, information leakage.", "edition": 2, "cvss3": {}, "published": "2013-12-23T00:00:00", "title": "OpenStack multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-4183", "CVE-2013-4202", "CVE-2013-4477", "CVE-2013-4185", "CVE-2013-6391", "CVE-2013-4155", "CVE-2013-4261", "CVE-2013-4278", "CVE-2013-4111", "CVE-2013-6858", "CVE-2013-4222", "CVE-2013-4428", "CVE-2013-4294", "CVE-2013-2256", "CVE-2013-4179"], "modified": "2013-12-23T00:00:00", "id": "SECURITYVULNS:VULN:13374", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13374", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
