CVE-2016-0757 — Improper Access Control in Project Glance

CWE-284 — Improper Access Control CWE-285 — Improper Authorization11 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 63.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glance Project Glance Openstack Image Registry AND Delivery Service

Timeline

PublishedApr 13

Latest updateMay 17

Description

OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by removing the last location of an image.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDopenstack/image_registry_and_delivery_service11.0.0, 11.0.1, 2015.1.2+2

▶PyPIglance_project/glance11.0.0 — 11.0.2

▶Debianglance_project/glance< 2:12.0.0-1+3

Patches

Patch: security.openstack.org ↗Patch: security.openstack.org ↗

🔴Vulnerability Details

OSV

OpenStack Image Service (Glance) vulnerable to Improper Access Control↗2022-05-17

▶

GHSA

OpenStack Image Service (Glance) vulnerable to Improper Access Control↗2022-05-17

▶

OSV

glance vulnerabilities↗2017-10-11

▶

OSV

CVE-2016-0757: OpenStack Image Service (Glance) before 2015↗2016-04-13

▶

CVEList

CVE-2016-0757: OpenStack Image Service (Glance) before 2015↗2016-04-13

▶

📋Vendor Advisories

Ubuntu

OpenStack Glance vulnerabilities↗2017-10-11

▶

Red Hat

openstack-glance: Glance image status manipulation through locations↗2016-02-04

▶

Debian

CVE-2016-0757: glance - OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2...↗2016

▶

💬Community

Bugzilla

CVE-2016-0757 openstack-glance: Glance image status manipulation through locations [fedora-all]↗2016-02-04

▶

Bugzilla

CVE-2016-0757 openstack-glance: Glance image status manipulation through locations↗2016-01-28

▶