Glance

CVEs related to bugs in Glance

Open bugs

Bug	CVE(s)
Bug #1990157: OSSN-0090: Malicious image data modification can happen when using COW	CVE-2016-0757 CVE-2022-4134
Glance	New (unassigned)

Resolved bugs

Bug	CVE(s)
Bug #1056420: nosetest options cause no such option errors	CVE-2012-4573
Glance	Fix released, assigned to Mark Washenberger
Bug #1057322: Image fails to upload to swift: TypeError: object of type 'CooperativeReader' has no len(	CVE-2012-4573
Glance	Fix released, assigned to Mark Washenberger
Bug #1059634: Badly named stable/folsom Glance tarballs	CVE-2012-4573
Glance	Invalid (unassigned)
Bug #1060930: Admin can update metadata of a deleted image	CVE-2012-4573
Glance	Fix released, assigned to Unmesh Gurjar
Bug #1060944: v1 API returns 200 OK when an admin deletes a deleted image	CVE-2012-4573
Glance	Fix released, assigned to Unmesh Gurjar
Bug #1065187: [OSSA-2012-017] Non-admin users can cause public glance images to be deleted	CVE-2012-4573
Glance	Fix released, assigned to Russell Bryant
Bug #1065758: No exclude option to skip tests in run_tests.sh	CVE-2012-4573
Glance	Fix released, assigned to Gerardo Porras
Bug #1071446: admins can see deleted images in v2 api	CVE-2012-4573
Glance	Fix released, assigned to Mark Washenberger
Bug #1073569: Jenkins jobs fail because of incompatibility between sqlalchemy-migrate and the newest sqlalchemy-0.8.0b1	CVE-2012-4573 CVE-2012-5563 CVE-2012-5571
Glance	Fix released, assigned to Sean Dague
Bug #1075580: Glance image-delete HTTPInternalServerError HTTP 500	CVE-2012-4573
Glance	Fix released, assigned to Josh Durgin
Bug #1076506: [OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted in the v2 api	CVE-2012-5482
Glance	Fix released, assigned to Mark Washenberger
Bug #1098962: [OSSA 2013-002] glance image-download can display backend Swift password	CVE-2013-0212
Glance	Fix released, assigned to Dan Prince
Bug #1135541: [OSSA 2013-007] v1 api returns location as header for cached images	CVE-2013-1840
Glance	Fix released, assigned to Stuart McLaren
Bug #1177924: Use testr instead of nose as the unittest runner.	CVE-2016-0738
Glance	Fix released (unassigned)
Bug #1226078: Glance allows user to create images and add other tenants as members (CVE-2013-4354)	CVE-2013-4354
Glance	Invalid (unassigned)
Bug #1235378: [OSSA 2013-027] 'image_download' role in v2 causes traceback	CVE-2013-4428
Glance	Fix released, assigned to Zhi Yan Liu
Bug #1275062: [OSSA 2014-004] sensitive info in image location is logged when authentication to single tenant swift store fails (CVE-2014-1948)	CVE-2014-1948
Glance	Fix released, assigned to Nikhil Komawar
Bug #1298698: [OSSA 2014-012] Remote Code Execution in Sheepdog backend (CVE-2014-0162)	CVE-2014-0162
Glance	Fix released, assigned to Zhi Yan Liu
Bug #1400966: [OSSA-2014-041] Glance allows users to download and delete any file in glance-api server (CVE-2014-9493)	CVE-2014-9493
Glance	Fix released, assigned to Grant Murphy
Bug #1408663: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)	CVE-2014-9493
Glance	Fix released, assigned to Grant Murphy
Bug #1449062: [OSSA 2016-012] qemu-img calls need to be restricted by ulimit (CVE-2015-5162)	CVE-2015-1850 CVE-2015-1851 CVE-2015-5162
Glance	Fix released, assigned to Hemanth Makkapati
Bug #1454087: Image data stays in store if image is deleted after creating image using import task (CVE-2015-3289)	CVE-2015-3289
Glance	Fix released (unassigned)
Bug #1471912: [OSSA 2015-014] Format-guessing and file disclosure via image conversion (CVE-2015-5163)	CVE-2015-5163
Glance	Fix released, assigned to Flavio Percoco
Bug #1482371: [OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251)	CVE-2015-5251
Glance	Fix released, assigned to Stuart McLaren
Bug #1498163: [OSSA 2015-020] Glance storage quota bypass when token is expired (CVE-2015-5286)	CVE-2015-5286
Glance	Fix released, assigned to Mike Fedosin
Bug #1525915: [OSSA 2016-006] Normal user can change image status if show_multiple_locations has been set to true (CVE-2016-0757)	CVE-2016-0757
Glance	Fix released, assigned to Erno Kuvaja
Bug #1545092: Images v2 api image-create vulnerability	CVE-2016-8611
Glance	Opinion (unassigned)
Bug #1996188: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)	CVE-2022-47951
Glance	Fix released, assigned to Dan Smith