CVE-2013-1840: OpenStack Glance is vulnerable to Exposure of Sensitive Information

May 17, 2022 (updated May 14, 2024)

The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator’s backend credentials via a request for a cached image.

References

bugs.launchpad.net/glance/+bug/1135541
exchange.xforce.ibmcloud.com/vulnerabilities/82878
github.com/advisories/GHSA-c8w9-83vg-r8vv
github.com/openstack/glance
github.com/openstack/glance/commit/74b067df9726f9cf3e6e17e248719794a6ee0745
github.com/openstack/glance/commit/dd849a9be540bedd4fd904cc0b86ccd9c3e34af2
github.com/openstack/glance/commit/e75764eee34915f8bc5b664ac18e47a556c9d3dd
nvd.nist.gov/vuln/detail/CVE-2013-1840
review.openstack.org/
review.openstack.org/
review.openstack.org/

Detect and mitigate CVE-2013-1840 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →