CVE-2013-1840

Description

The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.

How to fix CVE-2013-1840

To remediate CVE-2013-1840, upgrade the affected package to a fixed version below.

• Debian/glance—upgrade to 2012.1.1-5 or later
• PyPI/glance—upgrade to 11.0.0a0 or later
• —no fix listed

Is CVE-2013-1840 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 2012.1.1-5
• from 0, < 11.0.0a0
• from 0, <= v1

References (22)

• ADVISORYgithub.com/advisories/GHSA-c8w9-83vg-r8vv
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1840
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-1840
• PATCHgithub.com/openstack/glance
• WEBosvdb.org/91304