date: 2015-01-15

id: OSSA-2015-002

title: 'Glance v2 API unrestricted path traversal through filesystem:// scheme'

description: 'Jin Liu from EMC reported that path traversal vulnerabilities in Glance
    were not fully patched in OSSA 2014-041. By setting a malicious image
    location to a filesystem:// scheme an authenticated user can still
    download or delete any file on the Glance server for which the Glance
    process user has access to. Only setups using the Glance V2 API are
    affected by this flaw.'

errata: 'When the original advisory was published a CVE number was not assigned.
    CVE-2015-1195 can now be used to track this vulnerability.'

affected-products:

  - product: glance
    version: up to 2014.1.3 and 2014.2 versions up to 2014.2.1

vulnerabilities:

  - cve-id: CVE-2015-1195

reporters:

  - name: 'Jin Liu'
    affiliation: EMC
    reported:
      - CVE-2015-1195

issues:

  links:
    - https://launchpad.net/bugs/1408663

  type: launchpad

reviews:

  kilo:
    - https://review.openstack.org/145640

  juno:
    - https://review.openstack.org/145916

  icehouse:
    - https://review.openstack.org/145974

  type: gerrit

notes:
  - 'This fix was included in the kilo-1 development milestone and will be included
     in future 2014.2.2 (juno) and 2014.1.4 (icehouse) releases.'
  - 'The OpenStack VMT recommends revoking all credentials stored in files
     accessible by Glance as a precautionary measure.'

errata_history:
  - 2015-01-19 - Errata 1
  - 2015-01-15 - Original Version