Authorization Bypass

2019-01-1509:10:16

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.001 Low

EPSS

Percentile

45.2%

JSON

openstack-glance is vulnerable to authorization bypass. An authorization vulnerability allowed image-status manipulation using locations. By removing the last location of an image, an authenticated user could change the status from ‘active’ to ‘queue’. A malicious tenant could exploit this flaw to silently replace owned image data, regardless of its original creator or visibility settings. Only environments with show_multiple_locations set to true (not default) were affected.

CPENameOperatorVersion
openstack-glanceeq2014.1.4__1.el6ost
openstack-glanceeq2014.1.1__1.el6ost
openstack-glanceeq2015.1.2__1.el7ost
openstack-glanceeq17.0.0__0.2.0rc2.el7
openstack-glanceeq2012.1.1__1.el6
openstack-glanceeq2013.2.2__3.el6ost
openstack-glanceeq2013.2__5.el6ost
openstack-glanceeq2013.1__3.el6ost
openstack-glanceeq2014.1__4.el7ost
openstack-glanceeq2012.2.3__3.el6ost

Name	Operator	Version
openstack-glance	eq	2014.1.4__1.el6ost
openstack-glance	eq	2014.1.1__1.el6ost
openstack-glance	eq	2015.1.2__1.el7ost
openstack-glance	eq	17.0.0__0.2.0rc2.el7
openstack-glance	eq	2012.1.1__1.el6
openstack-glance	eq	2013.2.2__3.el6ost
openstack-glance	eq	2013.2__5.el6ost
openstack-glance	eq	2013.1__3.el6ost
openstack-glance	eq	2014.1__4.el7ost
openstack-glance	eq	2012.2.3__3.el6ost