1. CVE-Search
  2. CVE-2017-7200
ID CVE-2017-7200
Summary An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.
References
Vulnerable Configurations
  • cpe:2.3:a:openstack:glance:0.1.7:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:0.1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.0:alpha0:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.0:alpha0:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:11.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:11.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:12.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:12.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:12.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:12.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:12.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:12.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:12.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:12.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:12.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:12.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:12.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:12.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:13.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:13.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:13.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:13.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:13.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:13.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:13.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:13.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:13.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:13.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:13.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:13.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:14.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:14.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:14.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:14.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:14.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:14.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:14.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:14.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:14.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:14.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:14.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:14.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:15.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:15.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:15.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:15.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:15.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:15.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:15.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:15.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:15.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:15.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:15.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:15.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:15.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:15.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:15.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:16.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:16.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:16.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:16.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:16.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:16.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:16.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:16.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:16.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:16.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:16.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:16.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:16.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:16.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:16.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:16.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:17.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:17.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:17.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:17.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:17.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:17.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:17.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:17.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:17.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:17.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:17.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:17.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:18.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:18.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:18.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:18.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:18.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:18.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2011.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2011.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2011.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2011.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2011.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2011.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2012.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2012.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2012.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2012.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2012.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2012.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2012.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2012.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2012.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2012.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2012.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2012.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2012.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2012.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2012.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2012.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.1:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.1:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.1:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.1:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.1:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.1:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2:milestone1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2:milestone2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2:milestone3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2013.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2013.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2:rc3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2:rc3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2014.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2014.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.0:-:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:glance:2015.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:glance:2015.1.4:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 30-03-2017 - 16:39)
Impact:
Exploitability:
CWE CWE-918
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
refmap via4
bid 96988
confirm
Last major update 30-03-2017 - 16:39
Published 21-03-2017 - 06:59
Last modified 30-03-2017 - 16:39
Back to Top