CVE-2015-5286 — OpenStack Image Service (Glance) allows remote authenticated users to bypass sto

Description

OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623.

How to fix CVE-2015-5286

To remediate CVE-2015-5286, upgrade the affected package to a fixed version below.

—upgrade to 1:11.0.0-1 or later
—upgrade to 2014.2.4 or later

Is CVE-2015-5286 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1:11.0.0-1
from 0, < 2014.2.4

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-5286
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-5286
PATCHopendev.org/openstack/glance
WEBaccess.redhat.com/errata/RHSA-2015:1897
WEB