CVE-2014-9684 - OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly rem

CVE-2014-9684

Summary

OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.

References

Vulnerable Configurations

cpe:2.3:a:openstack:image_registry_and_delivery_service_\(glance\):2014.2:*:*:*:*:*:*:*
cpe:2.3:a:openstack:image_registry_and_delivery_service_\(glance\):2014.2:*:*:*:*:*:*:*
cpe:2.3:a:openstack:image_registry_and_delivery_service_\(glance\):2014.2.1:*:*:*:*:*:*:*
cpe:2.3:a:openstack:image_registry_and_delivery_service_\(glance\):2014.2.1:*:*:*:*:*:*:*
cpe:2.3:a:openstack:image_registry_and_delivery_service_\(glance\):2014.2.2:*:*:*:*:*:*:*
cpe:2.3:a:openstack:image_registry_and_delivery_service_\(glance\):2014.2.2:*:*:*:*:*:*:*

CVSS

Base:	4.0 (as of 03-01-2017 - 02:59)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:S/C:N/I:N/A:P

redhat via4

advisories

rhsa

id	RHSA-2015:0938

rpms

openstack-glance-0:2014.2.3-1.el7ost
openstack-glance-doc-0:2014.2.3-1.el7ost
python-glance-0:2014.2.3-1.el7ost
python-glance-store-0:0.1.10-3.el7ost

refmap via4

bid	72692
confirm	https://bugs.launchpad.net/glance/+bug/1371118
mlist	[openstack-announce] 20150223 [OSSA 2015-004] Glance import task leaks image in backend (CVE-2014-9684, CVE-2015-1881)

Last major update

03-01-2017 - 02:59

Published

24-02-2015 - 15:59

Last modified

03-01-2017 - 02:59