CVE-2015-5251
Published: 22 September 2015
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
Notes
Author | Note |
---|---|
tyhicks | 12.04 likely needs the ACTIVE_IMMUTABLE check, as well. |
Priority
Status
Package | Release | Status |
---|---|---|
glance Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
trusty |
Released
(1:2014.1.5-0ubuntu1.1)
|
|
upstream |
Needed
|
|
vivid |
Not vulnerable
(1:2015.1.2-0ubuntu1)
|
|
wily |
Not vulnerable
(2:11.0.0-0ubuntu1)
|
|
xenial |
Not vulnerable
(2:11.0.0-0ubuntu1)
|
|
yakkety |
Not vulnerable
(2:11.0.0-0ubuntu1)
|
|
zesty |
Not vulnerable
(2:11.0.0-0ubuntu1)
|
|
Patches: upstream: https://review.openstack.org/226338 upstream: https://review.openstack.org/226337 upstream: https://review.openstack.org/226336 vendor: vendor: http://ftp.redhat.com/pub/redhat/linux/enterprise/7Server/en/RHOS/SRPMS/openstack-glance-2014.1.5-5.el7ost.src.rpm |