Comment 6 for bug 1098962
Revision history for this message
| Thierry Carrez (ttx) wrote Re: glance image-download can display backend Swift password | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f399f05
demo site
(Get the code!)
Impact statement looks good, s/gain/access maybe
My understanding is that the user must be authenticated, adding that to the mix as well, and adding headers, we get:
Title: Backend password leak in Glance error message
Reporter: Dan Prince (Red Hat)
Products: Glance
Affects: All versions
Dan Prince of Red Hat discovered an issue in Glance error reporting. By creating an image in Glance by URL that references a mis-configured Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image references for any reason becomes unusable, an authenticated user may access the Glance operator's Swift credentials for that endpoint. Only setups that use the single-tenant Swift store are affected.