CVE-2013-1840

Published: 14 March 2013

The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.

Priority

Status

Package	Release	Status
glance Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Does not exist
	oneiric	Not vulnerable (code-not-present)
	precise	Released (2012.1.3+stable~20120821-120fcf-0ubuntu1.5)
	quantal	Released (2012.2.1-0ubuntu1.2)
	upstream	Pending (2013.1~rc1)

References

https://lists.launchpad.net/openstack/msg21891.html
https://ubuntu.com/security/notices/USN-1764-1
https://www.cve.org/CVERecord?id=CVE-2013-1840
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/bugs/1135541

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›