Glance Project Glance vulnerabilities
29 known vulnerabilities affecting glance_project/glance.
Total CVEs
29
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM22LOW3
Vulnerabilities
Page 1 of 2
CVE-2024-32498P3HIGHCVSS 6.5≥ 0, ≤ 28.0.12024-07-05
CVE-2024-32498 [HIGH] CWE-200 OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access
OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's cont
ghsaosv
CVE-2015-5162P3HIGHCVSS 7.5≥ 0, < 14.0.02022-05-14
CVE-2015-5162 [HIGH] CWE-400 OpenStack Cinder, Glance, and Nova contain Uncontrolled Resource Consumption
OpenStack Cinder, Glance, and Nova contain Uncontrolled Resource Consumption
The image parser in OpenStack Cinder prior to 7.0.2, and 8.0.0 and above, prior to 9.0.0; Glance prior to 14.00; and Nova prior to 12.0.4 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image. This issue is patched in
ghsaosv
CVE-2022-25937P3MEDIUMCVSS 6.5fixed in 3.0.92023-02-13
CVE-2022-25937 [MEDIUM] CVE-2022-25937: Versions of the package glance before 3.0.9 are vulnerable to Directory Traversal that allows users
Versions of the package glance before 3.0.9 are vulnerable to Directory Traversal that allows users to read files outside the public root directory. This is related to but distinct from the vulnerability reported in [CVE-2018-3715](https://security.snyk.io/vuln/npm:glance:20180129).
ghsanvdosv
CVE-2018-3715P4MEDIUMCVSS 6.5fixed in 3.0.4fixed in 3.0.92018-06-07
CVE-2018-3715 [MEDIUM] CWE-22 CVE-2018-3715: glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validatio
glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validation of path passed to it, which allows a malicious user to read content of any file with known path.
ghsanvdosv
CVE-2014-0162P4MEDIUMCVSS 6.0≥ 2013.2, < 2013.2.42022-05-17
CVE-2014-0162 [MEDIUM] CWE-20 OpenStack Image Registry and Delivery Service (Glance) Improper Input Validation vulnerability
OpenStack Image Registry and Delivery Service (Glance) Improper Input Validation vulnerability
The Sheepdog backend in OpenStack Image Registry and Delivery Service (Glance) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote authenticated users with permission to insert or modify an image to execute arbitrary commands via a crafted location.
ghsaosv
CVE-2015-1195P4MEDIUMCVSS 5.5≥ 0, < 11.0.0a02022-05-14
CVE-2015-1195 [MEDIUM] CWE-22 OpenStack Glance v2 API unrestricted path traversal through filesystem:// scheme
OpenStack Glance v2 API unrestricted path traversal through filesystem:// scheme
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a `filesystem://` URL in the image location property. NOTE: this vulnerability exists because of an in
ghsaosv
CVE-2012-4573P4MEDIUMCVSS 5.5≥ 0, < 11.0.0a02022-05-17
CVE-2012-4573 [MEDIUM] OpenStack Glance arbitrary deletion of non-protected images
OpenStack Glance arbitrary deletion of non-protected images
The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482.
ghsaosv
CVE-2017-7200P4MEDIUMCVSS 5.8≥ 0, < 11.0.0a02022-05-17
CVE-2017-7200 [MEDIUM] CWE-918 OpenStack Glance Server-Side Request Forgery (SSRF)
OpenStack Glance Server-Side Request Forgery (SSRF)
An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the s
ghsaosv
CVE-2022-47951P4MEDIUMCVSS 5.7≥ 0, < 23.0.1≥ 24.0.0, < 24.1.12023-01-27
CVE-2022-47951 [MEDIUM] CWE-22 OpenStack Cinder, glance, and Nova vulnerable to Path Traversal
OpenStack Cinder, glance, and Nova vulnerable to Path Traversal
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems t
ghsaosv
CVE-2026-34881P4MEDIUMCVSS 5.0≥ 0, < 29.2.0≥ 30.0.0, < 30.2.0+1 more2026-03-31
CVE-2026-34881 [MEDIUM] CWE-918 OpenStack Glance is affected by Server-Side Request Forgery (SSRF)
OpenStack Glance is affected by Server-Side Request Forgery (SSRF)
OpenStack Glance versions = 30.0.0 < 30.1.1, == 31.0.0 are affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only the glance image import functionality is affected. In particular, the web-download and glance-download im
ghsaosv
CVE-2014-9493P4MEDIUMCVSS 5.5≥ 0, < 2014.1.3-62015-01-07
CVE-2014-9493 [MEDIUM] CVE-2014-9493: The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.
osv
CVE-2012-5482P4MEDIUMCVSS 5.5≥ 0, < 11.0.0a02022-05-17
CVE-2012-5482 [MEDIUM] OpenStack Glance arbitrary deletion of non-protected images
OpenStack Glance arbitrary deletion of non-protected images
The v2 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-4573.
ghsaosv
CVE-2022-31546P4CRITICALCVSS 9.3≤ 2014-06-272022-07-11
CVE-2022-31546 [CRITICAL] CWE-22 CVE-2022-31546: The nlpweb/glance repository through 2014-06-27 on GitHub allows absolute path traversal because the
The nlpweb/glance repository through 2014-06-27 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
nvd
CVE-2015-5286P4MEDIUMCVSS 4.0≥ 0, < 2014.2.4≥ 2015.1.0, < 2015.1.22022-05-17
CVE-2015-5286 [MEDIUM] CWE-400 OpenStack Image Service (Glance) allows remote authenticated users to bypass storage quota, cause denial of service
OpenStack Image Service (Glance) allows remote authenticated users to bypass storage quota, cause denial of service
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being
ghsaosv
CVE-2018-3748P4MEDIUMCVSS 6.1v3.0.52018-07-03
CVE-2018-3748 [MEDIUM] CWE-79 CVE-2018-3748: There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which co
There is a Stored XSS vulnerability in the glance node module versions element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name.
ghsanvdosv
CVE-2015-5251P4MEDIUMCVSS 5.5≥ 2011.2, < 2014.2.4≥ 2015.1.0, < 2015.1.22022-05-17
CVE-2015-5251 [MEDIUM] CWE-863 OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions
OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
ghsaosv
CVE-2015-8234P4MEDIUM≥ 0, ≤ 11.0.02022-05-17
CVE-2015-8234 [MEDIUM] CWE-328 OpenStack Glance Signature Verification Bypass
OpenStack Glance Signature Verification Bypass
The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision.
ghsaosv
CVE-2016-0757P4MEDIUMCVSS 4.3≥ 11.0.0, < 11.0.22022-05-17
CVE-2016-0757 [MEDIUM] CWE-284 OpenStack Image Service (Glance) vulnerable to Improper Access Control
OpenStack Image Service (Glance) vulnerable to Improper Access Control
OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by removing the last location of an image.
ghsaosv
CVE-2015-5163P4HIGHCVSS 3.5≥ 2015.1.0, < 2015.1.22022-05-17
CVE-2015-5163 [HIGH] CWE-200 OpenStack Image Service (Glance) allows remote authenticated users to read arbitrary file
OpenStack Image Service (Glance) allows remote authenticated users to read arbitrary file
The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.
ghsaosv
CVE-2013-4428P4LOWCVSS 3.5≥ 0, < 2013.2-12013-10-27
CVE-2013-4428 [LOW] CVE-2013-4428: OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013
OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.
osv
1 / 2Next →