Comment 5 for bug 1098962
Revision history for this message
| Brian Waldon (bcwaldon) wrote Re: glance image-download can display backend Swift password | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f399f05
demo site
(Get the code!)
I did not verify this functionally, but by looking at the code this vulnerability appears to affect Diablo (2011.3.1) and Cactus as well (not Bexar). Here is a proposed impact statement:
By creating an image in Glance by URL that references a mis-configured Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image references for any reason becomes unusable, any user may gain the Glance operator's Swift credentials for that endpoint. Only setups that use the single-tenant Swift store are affected.