Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv2

CVE-2015-1195

Published: 21/01/2015 Updated: 04/02/2019
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
VMScore: 578
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Summary

The V2 API in OpenStack Image Registry and Delivery Service (Glance) prior to 2014.1.4 and 2014.2.x prior to 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.

Vulnerable Product Search on Vulmon Subscribe to Product

openstack image registry and delivery service \\(glance\\)

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2015-1195: Glance still allows users to download and delete any file in glance-api server
Debian Bug report logs - #775926 CVE-2015-1195: Glance still allows users to download and delete any file in glance-api server Package: glance; Maintainer for glance is Debian OpenStack <team+openstack@trackerdebianorg>; Source for glance is src:glance (PTS, buildd, popcon) Reported by: Thomas Goirand <zigo@debianorg&g ...
Red Hat: CVE-2015-1195
It was discovered that the fix for CVE-2014-9493 was incomplete: an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user Note that only setups using the OpenStack Image V2 API were affected by this flaw ...

References

CWE-22https://bugs.launchpad.net/ossa/+bug/1408663http://www.openwall.com/lists/oss-security/2015/01/18/5http://lists.openstack.org/pipermail/openstack-announce/2015-January/000325.htmlhttp://www.openwall.com/lists/oss-security/2015/01/15/2http://secunia.com/advisories/62169http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/71976https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775926https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2015-1195
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-23316SQL injectiontype confusionCVE-2024-20697CVE-2024-4344localCVE-2024-30043CVE-2024-3821CVE-2024-5041
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook