CVE-2015-1195 — Path Traversal in Image Registry AND Delivery Service

CWE-22 — Path Traversal8 documents7 sources

Severity

6.5MEDIUMNVD

CNA5.5GHSA5.5OSV5.5

EPSS

1.1%

top 21.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glance Project Glance Openstack Image Registry AND Delivery Service

Timeline

PublishedJan 21

Latest updateMay 14

Description

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages3 packages

▶NVDopenstack/image_registry_and_delivery_service2014.1 — 2014.1.4+1

▶PyPIglance_project/glance< 11.0.0a0

▶Debianglance_project/glance< 2014.1.3-11+3

🔴Vulnerability Details

GHSA

OpenStack Glance v2 API unrestricted path traversal through filesystem:// scheme↗2022-05-14

▶

OSV

OpenStack Glance v2 API unrestricted path traversal through filesystem:// scheme↗2022-05-14

▶

CVEList

CVE-2015-1195: The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014↗2015-01-21

▶

OSV

CVE-2015-1195: The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014↗2015-01-21

▶

📋Vendor Advisories

Red Hat

openstack-glance: unrestricted path traversal flaw (incomplete fix for CVE-2014-9493) (OSSA 2015-002)↗2015-01-12

▶

Debian

CVE-2015-1195: glance - The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014...↗2015

▶

💬Community

Bugzilla

CVE-2015-1195 openstack-glance: unrestricted path traversal flaw (incomplete fix for CVE-2014-9493) (OSSA 2015-002)↗2015-01-13

▶