CVE-2014-9493 — Path Traversal in Image Registry AND Delivery Service

CWE-264 CWE-22 — Path Traversal10 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.8%

top 26.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glance Project Glance Openstack Image Registry AND Delivery Service Redhat Openstack

Timeline

PublishedJan 7

Latest updateMay 14

Description

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 8.0 | Impact: 4.9

Affected Packages3 packages

▶NVDopenstack/image_registry_and_delivery_service2014.1 — 2014.1.4+1

▶Debianglance_project/glance< 2014.1.3-6+3

▶NVDredhat/openstack4.0, 5.0+1

Patches

Patch: lists.openstack.org ↗Patch: lists.openstack.org ↗

🔴Vulnerability Details

GHSA

GHSA-jgr4-76hh-5p7q: The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014↗2022-05-14

▶

GHSA

OpenStack Glance v2 API unrestricted path traversal through filesystem:// scheme↗2022-05-14

▶

CVEList

CVE-2014-9493: The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014↗2015-01-07

▶

OSV

CVE-2014-9493: The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014↗2015-01-07

▶

📋Vendor Advisories

Red Hat

openstack-glance: unrestricted path traversal flaw (incomplete fix for CVE-2014-9493) (OSSA 2015-002)↗2015-01-12

▶

Red Hat

openstack-glance: unrestricted path traversal flaw↗2014-12-15

▶

Debian

CVE-2014-9493: glance - The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014...↗2014

▶

💬Community

Bugzilla

CVE-2015-1195 openstack-glance: unrestricted path traversal flaw (incomplete fix for CVE-2014-9493) (OSSA 2015-002)↗2015-01-13

▶

Bugzilla

CVE-2014-9493 openstack-glance: unrestricted path traversal flaw↗2014-12-15

▶