Candidate: CVE-2015-1195
PublicDate: 2015-01-21 18:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1195
 http://lists.openstack.org/pipermail/openstack-announce/2015-January/000323.html
 http://lists.openstack.org/pipermail/openstack-announce/2015-January/000325.html
Description:
 The V2 API in OpenStack Image Registry and Delivery Service (Glance) before
 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to
 read or delete arbitrary files via a full pathname in a filesystem: URL in
 the image location property.  NOTE: this vulnerability exists because of an
 incomplete fix for CVE-2014-9493.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.launchpad.net/ossa/+bug/1408663
Priority: medium
Discovered-by: Jin Liu
Assigned-to: mdeslaur
CVSS: 

Patches_glance:
 upstream: https://review.openstack.org/145974 (icehouse)
 upstream: https://review.openstack.org/145916 (juno)
 upstream: https://review.openstack.org/145640 (kilo)
upstream_glance: needs-triage
lucid_glance: DNE
precise_glance: not-affected (code not present)
trusty_glance: released (1:2014.1.4-0ubuntu1)
trusty/esm_glance: DNE (trusty was released [1:2014.1.4-0ubuntu1])
utopic_glance: not-affected (1:2014.2.2-0ubuntu1)
vivid_glance: not-affected (1:2015.1~b2-0ubuntu1)
devel_glance: not-affected (1:2015.1~b2-0ubuntu1)