CVE 2014-9493
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.
Related bugs and status
CVE-2014-9493 (Candidate) is related to these bugs:
Bug #1400966: [OSSA-2014-041] Glance allows users to download and delete any file in glance-api server (CVE-2014-9493)
Bug #1403102: Glance allows users to download and delete any file in glance-api server
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1403102 | Glance allows users to download and delete any file in glance-api server | Mirantis OpenStack | Critical | Fix Released | ||
| 1403102 | Glance allows users to download and delete any file in glance-api server | Mirantis OpenStack 6.1.x | Critical | Fix Released | ||
| 1403102 | Glance allows users to download and delete any file in glance-api server | Mirantis OpenStack 6.0.x | Critical | Fix Released | ||
| 1403102 | Glance allows users to download and delete any file in glance-api server | Mirantis OpenStack 5.0.x | Critical | Won't Fix | ||
| 1403102 | Glance allows users to download and delete any file in glance-api server | Mirantis OpenStack 4.1.x | Critical | Won't Fix | ||
| 1403102 | Glance allows users to download and delete any file in glance-api server | Mirantis OpenStack 5.1.x | Critical | Fix Released | ||
Bug #1408663: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1408663 | [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195) | OpenStack Security Advisory | Critical | Fix Released | ||
| 1408663 | [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195) | Glance | Critical | Fix Released | ||
| 1408663 | [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195) | Glance icehouse | Critical | Fix Released | ||
| 1408663 | [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195) | Glance juno | Critical | Fix Released | ||
Bug #1514467: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1514467 | [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195) | Mirantis OpenStack | Undecided | Invalid | ||
| 1514467 | [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195) | Mirantis OpenStack 5.1.x | Critical | Fix Released | ||
| 1514467 | [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195) | Mirantis OpenStack 6.0.x | Critical | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
