CVE-2015-5163

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2015-5163
The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.

3.5 /10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
http://lists.openstack.org/pipermail/openstack-announce/2015-August/000527.html
http://rhn.redhat.com/errata/RHSA-2015-1639.html
http://www.securityfocus.com/bid/76346
https://bugs.launchpad.net/glance/+bug/1471912
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openstack:glance:2015.1.0:*:*:*:*:*:*:*
cpe:2.3:a:openstack:glance:2015.1.1:*:*:*:*:*:*:*
History

13 Feb 2023, 00:50

Type Values Removed Values Added
References
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1252378', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1252378', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2015:1639', 'name': 'https://access.redhat.com/errata/RHSA-2015:1639', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/security/cve/CVE-2015-5163', 'name': 'https://access.redhat.com/security/cve/CVE-2015-5163', 'tags': [], 'refsource': 'MISC'}
Summary A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw. The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.

02 Feb 2023, 16:16

Type Values Removed Values Added
Summary The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image. A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw.
References
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1252378 -
  • (MISC) https://access.redhat.com/errata/RHSA-2015:1639 -
  • (MISC) https://access.redhat.com/security/cve/CVE-2015-5163 -
Information

Published : 2015-08-19 15:59

Updated : 2023-12-10 11:46

NVD link : CVE-2015-5163

Mitre link : CVE-2015-5163

CVE.ORG link : CVE-2015-5163

JSON object : View

Products Affected

openstack

  • glance
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor