cbcvebase.
CVE-2015-1195
published 2015-01-21

CVE-2015-1195: The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or…

medium6.5CVSS 3.1
AVNACLAuSCPIPAP
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianglance< glance 2014.1.3-11 (bookworm)glance 2014.1.3-11 (bookworm)
glance_projectglance>= 0 < 2014.1.3-112014.1.3-11
glance_projectglance>= 0 < 2014.1.3-112014.1.3-11
glance_projectglance>= 0 < 2014.1.3-112014.1.3-11
glance_projectglance>= 0 < 2014.1.3-112014.1.3-11
glance_projectglance>= 0 < 11.0.0a011.0.0a0
openstackimage_registry_and_delivery_service>= 2014.1 < 2014.1.42014.1.4
openstackimage_registry_and_delivery_service>= 2014.2 < 2014.2.22014.2.2

CVSS provenance

nvd6.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa5.5MEDIUM
osv5.5MEDIUM