yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1226078] Re: Glance allows user to create images and add other tenants as members (CVE-2013-4354)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Thu, 12 Dec 2013 03:54:25 -0000
Reply-to: Bug 1226078 <1226078@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Published on OpenStack and OpenStack-Dev mailing lists on 11 Dec 2013.

** Changed in: ossn
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1226078

Title:
  Glance allows user to create images and add other tenants as members
  (CVE-2013-4354)

Status in OpenStack Image Registry and Delivery Service (Glance):
  Invalid
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  It's well known that Glance does not perform any check on tenants.
  This has been a behavior we kept as-is to avoid increasing requests
  needed in the image management process, however, after some tests, I
  think this behavior can be a security issue.

  Scenario:
  - Create an image using user1
  - Pick tenant's id of user2 and add it as a member of the image user1 just created
  - Use user2 to list images. This will list the image user1 created.

  I think this is an issue because it allows user from other tenants to
  sneak images with a backdoor to other tenants.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1226078/+subscriptions