CVEs related to bugs in Glance

Open bugs

Bug CVE(s)
Bug #1990157: OSSN-0090: Malicious image data modification can happen when using COW CVE-2016-0757
CVE-2022-4134
Glance New (unassigned)

Resolved bugs

Bug CVE(s)
Bug #1056420: nosetest options cause no such option errors CVE-2012-4573
Glance Fix released, assigned to Mark Washenberger
Bug #1057322: Image fails to upload to swift: TypeError: object of type 'CooperativeReader' has no len( CVE-2012-4573
Glance Fix released, assigned to Mark Washenberger
Bug #1059634: Badly named stable/folsom Glance tarballs CVE-2012-4573
Glance Invalid (unassigned)
Bug #1060930: Admin can update metadata of a deleted image CVE-2012-4573
Glance Fix released, assigned to Unmesh Gurjar
Bug #1060944: v1 API returns 200 OK when an admin deletes a deleted image CVE-2012-4573
Glance Fix released, assigned to Unmesh Gurjar
Bug #1065187: [OSSA-2012-017] Non-admin users can cause public glance images to be deleted CVE-2012-4573
Glance Fix released, assigned to Russell Bryant
Bug #1065758: No exclude option to skip tests in run_tests.sh CVE-2012-4573
Glance Fix released, assigned to Gerardo Porras
Bug #1071446: admins can see deleted images in v2 api CVE-2012-4573
Glance Fix released, assigned to Mark Washenberger
Bug #1073569: Jenkins jobs fail because of incompatibility between sqlalchemy-migrate and the newest sqlalchemy-0.8.0b1 CVE-2012-4573
CVE-2012-5563
CVE-2012-5571
Glance Fix released, assigned to Sean Dague
Bug #1075580: Glance image-delete HTTPInternalServerError HTTP 500 CVE-2012-4573
Glance Fix released, assigned to Josh Durgin
Bug #1076506: [OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted in the v2 api CVE-2012-5482
Glance Fix released, assigned to Mark Washenberger
Bug #1098962: [OSSA 2013-002] glance image-download can display backend Swift password CVE-2013-0212
Glance Fix released, assigned to Dan Prince
Bug #1135541: [OSSA 2013-007] v1 api returns location as header for cached images CVE-2013-1840
Glance Fix released, assigned to Stuart McLaren
Bug #1177924: Use testr instead of nose as the unittest runner. CVE-2016-0738
Glance Fix released (unassigned)
Bug #1226078: Glance allows user to create images and add other tenants as members (CVE-2013-4354) CVE-2013-4354
Glance Invalid (unassigned)
Bug #1235378: [OSSA 2013-027] 'image_download' role in v2 causes traceback CVE-2013-4428
Glance Fix released, assigned to Zhi Yan Liu
Bug #1275062: [OSSA 2014-004] sensitive info in image location is logged when authentication to single tenant swift store fails (CVE-2014-1948) CVE-2014-1948
Glance Fix released, assigned to Nikhil Komawar
Bug #1298698: [OSSA 2014-012] Remote Code Execution in Sheepdog backend (CVE-2014-0162) CVE-2014-0162
Glance Fix released, assigned to Zhi Yan Liu
Bug #1400966: [OSSA-2014-041] Glance allows users to download and delete any file in glance-api server (CVE-2014-9493) CVE-2014-9493
Glance Fix released, assigned to Grant Murphy
Bug #1408663: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195) CVE-2014-9493
Glance Fix released, assigned to Grant Murphy
Bug #1449062: [OSSA 2016-012] qemu-img calls need to be restricted by ulimit (CVE-2015-5162) CVE-2015-1850
CVE-2015-1851
CVE-2015-5162
Glance Fix released, assigned to Hemanth Makkapati
Bug #1454087: Image data stays in store if image is deleted after creating image using import task (CVE-2015-3289) CVE-2015-3289
Glance Fix released (unassigned)
Bug #1471912: [OSSA 2015-014] Format-guessing and file disclosure via image conversion (CVE-2015-5163) CVE-2015-5163
Glance Fix released, assigned to Flavio Percoco
Bug #1482371: [OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251) CVE-2015-5251
Glance Fix released, assigned to Stuart McLaren
Bug #1498163: [OSSA 2015-020] Glance storage quota bypass when token is expired (CVE-2015-5286) CVE-2015-5286
Glance Fix released, assigned to Mike Fedosin
Bug #1525915: [OSSA 2016-006] Normal user can change image status if show_multiple_locations has been set to true (CVE-2016-0757) CVE-2016-0757
Glance Fix released, assigned to Erno Kuvaja
Bug #1545092: Images v2 api image-create vulnerability CVE-2016-8611
Glance Opinion (unassigned)
Bug #1996188: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951) CVE-2022-47951
Glance Fix released, assigned to Dan Smith