c5ece310d2
Change-Id: Id5de7f19dd7ece9eba1c08ac8ca23d953de796e3
53 lines
1.1 KiB
YAML
53 lines
1.1 KiB
YAML
date: 2015-01-26
|
|
|
|
id: OSSA-2015-003
|
|
|
|
title: 'Glance user storage quota bypass'
|
|
|
|
description: 'Tushar Patil from NTT reported a vulnerability in Glance. By deleting images
|
|
that are being uploaded, a malicious user can overcome the storage quota and
|
|
thus may overrun the backend. Images in deleted state are not taken into
|
|
account by quota and won''t be effectively deleted until the upload is
|
|
completed. Only Glance setups configured with user_storage_quota are
|
|
affected.'
|
|
|
|
affected-products:
|
|
|
|
- product: glance
|
|
version: up to 2014.1.3 and 2014.2 versions up to 2014.2.1
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2014-9623
|
|
|
|
reporters:
|
|
|
|
- name: 'Tushar Patil'
|
|
affiliation: NTT
|
|
reported:
|
|
- CVE-2014-9623
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1398830
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
kilo:
|
|
- https://review.openstack.org/144464
|
|
|
|
juno:
|
|
- https://review.openstack.org/149387
|
|
|
|
icehouse:
|
|
- https://review.openstack.org/149646
|
|
|
|
type: gerrit
|
|
|
|
notes:
|
|
- 'This fix will be included in the kilo-2 development milestone and in
|
|
future 2014.2.2 (juno) and 2014.1.4 (icehouse) releases.'
|