OpenStack Security Advisory: 2013-002
CVE: CVE-2013-0212
Date: January 29, 2013
Title: Backend password leak in Glance error message
Reporter: Dan Prince (Red Hat)
Products: Glance
Affects: All versions
Description:
Dan Prince of Red Hat discovered an issue in Glance error reporting. By
creating an image in Glance by URL that references a mis-configured
Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image
references for any reason becomes unusable, an authenticated user may
access the Glance operator’s Swift credentials for that endpoint. Only
setups that use the single-tenant Swift store are affected.
Grizzly fix:
Folsom fix:
(included in upcoming Glance 2012.2.3 stable update)