Information Disclosure in OpenStack Glance by Vendor OpenStack
CVE-2013-1840

Currently unrated

Key Information:

Vendor: Openstack
Status: Glance
Vendor: CVE Published:; 22 March 2013

Summary

The v1 API in OpenStack Glance for the Essex, Folsom, and Grizzly releases can reveal backend credentials of the operator when using a single-tenant Swift or S3 store. This happens via a request for a cached image, which exposes sensitive information to authenticated remote users. Proper measures should be implemented to secure the API and mitigate potential exploitation by ensuring that sensitive location fields are not disclosed.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/82878

vdb-entryx_refsource_XF

https://review.openstack.org/#/c/24437/

x_refsource_CONFIRM

http://www.ubuntu.com/usn/USN-1764-1

vendor-advisoryx_refsource_UBUNTU

Timeline

Vulnerability published
Mar 22, 2013
Vulnerability Reserved
Feb 19, 2013