CVE-2013-4428 - Vulnerability Details - OpenCVE

OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Openstack	Glance
Redhat	Openstack

Configuration 1 [-]

OR	cpe:2.3:a:openstack:glance::::::::
	cpe:2.3:a:openstack:glance::::::::
	cpe:2.3:a:openstack:glance:2013.2:milestone1::::::
	cpe:2.3:a:openstack:glance:2013.2:milestone2::::::
	cpe:2.3:a:openstack:glance:2013.2:milestone3::::::

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:13.04:::::::*

Package	CPE	Advisory	Released Date
OpenStack 3 for RHEL 6
openstack-glance-0:2013.1.4-1.el6ost	cpe:/a:redhat:openstack:3::el6	RHSA-2013:1525	2013-11-18T00:00:00Z

References

Link	Providers
http://rhn.redhat.com/errata/RHSA-2013-1525.html
http://www.openwall.com/lists/oss-security/2013/10/15/8
http://www.openwall.com/lists/oss-security/2013/10/16/9
http://www.securityfocus.com/bid/63159
http://www.ubuntu.com/usn/USN-2003-1
https://bugs.launchpad.net/glance/+bug/1235226
https://bugs.launchpad.net/glance/+bug/1235378
https://launchpad.net/glance/+milestone/2013.1.4
https://launchpad.net/glance/+milestone/2013.2
https://nvd.nist.gov/vuln/detail/CVE-2013-4428
https://www.cve.org/CVERecord?id=CVE-2013-4428

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-10-27T00:00:00

Updated: 2024-08-06T16:45:14.599Z

Reserved: 2013-06-12T00:00:00

Link: CVE-2013-4428

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2013-10-27T00:55:03.963

Modified: 2025-04-11T00:51:21.963

Link: CVE-2013-4428

Redhat

Severity : Moderate

Publid Date: 2013-10-04T00:00:00Z

Links: CVE-2013-4428 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-10-09T00:00:00", "descriptions": [{"lang": "en", "value": "OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-12-14T16:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2013:1525", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1525.html"}, {"name": "USN-2003-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2003-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.net/glance/+milestone/2013.1.4"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/glance/+bug/1235378"}, {"name": "[oss-security] 20131015 CVE request for a vulnerability in OpenStack Glance", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/10/15/8"}, {"name": "63159", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/63159"}, {"name": "[oss-security] 20131015 Re: CVE request for a vulnerability in OpenStack Glance", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/10/16/9"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/glance/+bug/1235226"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.net/glance/+milestone/2013.2"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:45:14.599Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2013:1525", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1525.html"}, {"name": "USN-2003-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2003-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://launchpad.net/glance/+milestone/2013.1.4"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/glance/+bug/1235378"}, {"name": "[oss-security] 20131015 CVE request for a vulnerability in OpenStack Glance", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2013/10/15/8"}, {"name": "63159", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/63159"}, {"name": "[oss-security] 20131015 Re: CVE request for a vulnerability in OpenStack Glance", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2013/10/16/9"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/glance/+bug/1235226"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://launchpad.net/glance/+milestone/2013.2"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4428", "datePublished": "2013-10-27T00:00:00", "dateReserved": "2013-06-12T00:00:00", "dateUpdated": "2024-08-06T16:45:14.599Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*", "matchCriteriaId": "15426AFE-88FB-4A04-8F20-259F325827A0", "versionEndIncluding": "2012.2.4", "versionStartIncluding": "2012.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFFED5E7-70D2-4912-B343-4A6CD080CC48", "versionEndExcluding": "2013.1.4", "versionStartIncluding": "2013.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:glance:2013.2:milestone1:*:*:*:*:*:*", "matchCriteriaId": "9666E262-4AD2-4278-BFE7-3885D560712B", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:glance:2013.2:milestone2:*:*:*:*:*:*", "matchCriteriaId": "6C653FE7-BED8-4C96-8F4C-FA574DF6EFC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:glance:2013.2:milestone3:*:*:*:*:*:*", "matchCriteriaId": "C4778628-C032-4B4E-9A9F-6A3B0351D14E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*", "matchCriteriaId": "EFAA48D9-BEB4-4E49-AD50-325C262D46D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID."}, {"lang": "es", "value": "OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly con versiones anteriores a 2013.1.4, y Havana con versiones anteriores a 2013.2, cuando se configura la pol\u00edtica image_download, no restringe adecuadamente el acceso a las im\u00e1genes almacenadas en cach\u00e9, lo que permite a usuarios remotos autenticados leer de otra manera im\u00e1genes restringidas a trav\u00e9s de un imagen UUID."}], "id": "CVE-2013-4428", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-10-27T00:55:03.963", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1525.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2013/10/15/8"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2013/10/16/9"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/63159"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2003-1"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugs.launchpad.net/glance/+bug/1235226"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugs.launchpad.net/glance/+bug/1235378"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://launchpad.net/glance/+milestone/2013.1.4"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://launchpad.net/glance/+milestone/2013.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1525.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2013/10/15/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2013/10/16/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/63159"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2003-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugs.launchpad.net/glance/+bug/1235226"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugs.launchpad.net/glance/+bug/1235378"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://launchpad.net/glance/+milestone/2013.1.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://launchpad.net/glance/+milestone/2013.2"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}