Glance Project Glance vulnerabilities

CVE-2013-1840 [LOW] CWE-200 OpenStack Glance is vulnerable to Exposure of Sensitive Information OpenStack Glance is vulnerable to Exposure of Sensitive Information The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.

CVE-2015-5162 [HIGH] CWE-400 OpenStack Cinder, Glance, and Nova contain Uncontrolled Resource Consumption OpenStack Cinder, Glance, and Nova contain Uncontrolled Resource Consumption The image parser in OpenStack Cinder prior to 7.0.2, and 8.0.0 and above, prior to 9.0.0; Glance prior to 14.00; and Nova prior to 12.0.4 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image. This issue is patched in

CVE-2015-1195 [MEDIUM] CWE-22 OpenStack Glance v2 API unrestricted path traversal through filesystem:// scheme OpenStack Glance v2 API unrestricted path traversal through filesystem:// scheme The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a `filesystem://` URL in the image location property. NOTE: this vulnerability exists because of an in

CVE-2013-0212 [MEDIUM] CWE-200 OpenStack Glance logs user name and password in cleartext OpenStack Glance logs user name and password in cleartext store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.

CVE-2018-3748 [MEDIUM] CWE-79 CVE-2018-3748: There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which co There is a Stored XSS vulnerability in the glance node module versions element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name.

CVE-2018-3715 [MEDIUM] CWE-22 CVE-2018-3715: glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validatio glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validation of path passed to it, which allows a malicious user to read content of any file with known path.

CVE-2015-3289 [MEDIUM] CVE-2015-3289: OpenStack Glance before 2015 OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them.

CVE-2014-9493 [MEDIUM] CVE-2014-9493: The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014 The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

CVE-2013-4428 [LOW] CVE-2013-4428: OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013 OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.