Title: Lack of ACL on deactivated image deletion request
Reporter: Niall Bunting (HPE)
Products: Glance
Affects: >=2015.1.0
Description:
Niall Bunting of Hewlett Packard Enterprise (HPE) reported a
vulnerability in Glance. Due to a failure to properly restrict
access controls a user may delete images that have been deactivated
by an administrator. A tenant may abuse this flaw to hide malicious
activities from an administrator. All Glance deployments are affected.
First draft of impact description -
Title: Lack of ACL on deactivated image deletion request
Reporter: Niall Bunting (HPE)
Products: Glance
Affects: >=2015.1.0
Description:
Niall Bunting of Hewlett Packard Enterprise (HPE) reported a
vulnerability in Glance. Due to a failure to properly restrict
access controls a user may delete images that have been deactivated
by an administrator. A tenant may abuse this flaw to hide malicious
activities from an administrator. All Glance deployments are affected.