CVE-2014-9493 — MEDIUM (5.5)

Q: How severe is CVE-2014-9493?

CVE-2014-9493 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-9493?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Openstack, Openstack Image Registry And Delivery Service \(Glance\).

Vulnerability Description

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

CVSS Score

5.5

MEDIUM

AV:N/AC:L/Au:S/C:P/I:N/A:P

Confidentiality

PARTIAL

Integrity

NONE

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Redhat	Openstack	4.0
Openstack	Image Registry And Delivery Service \(Glance\)	>= 2014.1, < 2014.1.4

Related Weaknesses (CWE)

CWE-264

References

http://lists.openstack.org/pipermail/openstack-announce/2014-December/000317.htmPatchVendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-0246.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlThird Party Advisory
http://www.securityfocus.com/bid/71688Third Party AdvisoryVDB Entry
https://bugs.launchpad.net/glance/+bug/1400966Issue TrackingThird Party Advisory
https://security.openstack.org/ossa/OSSA-2014-041.htmlVendor Advisory
http://lists.openstack.org/pipermail/openstack-announce/2014-December/000317.htmPatchVendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-0246.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlThird Party Advisory
http://www.securityfocus.com/bid/71688Third Party AdvisoryVDB Entry
https://bugs.launchpad.net/glance/+bug/1400966Issue TrackingThird Party Advisory
https://security.openstack.org/ossa/OSSA-2014-041.htmlVendor Advisory

FAQ

What is CVE-2014-9493?

CVE-2014-9493 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL...

How severe is CVE-2014-9493?

CVE-2014-9493 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-9493?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Openstack, Openstack Image Registry And Delivery Service \(Glance\).