CVE-2013-1840 — OpenStack Glance is vulnerable to Exposure of Sensitive Information

描述

The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.

如何修補 CVE-2013-1840

要修補 CVE-2013-1840,請將受影響套件升級到下列已修補版本。

Debian/glance—升級至 2012.1.1-5 或更新版本
PyPI/glance—升級至 11.0.0a0 或更新版本
PyPI/glance—未列出修補版本

CVE-2013-1840 正在被利用嗎?

低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。

受影響套件(3)

from 0, < 2012.1.1-5
from 0, < 11.0.0a0
from 0, <= v1

參考連結(22)

ADVISORYgithub.com/advisories/GHSA-c8w9-83vg-r8vv
ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1840
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-1840
PATCHgithub.com/openstack/glance
WEBosvdb.org/91304