[Glance] Glance user storage quota bypass #1
Bug #1414685 reported by
ruhe
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Invalid
|
Critical
|
Mike Fedosin | ||
5.1.x |
Fix Released
|
Critical
|
Denis Puchkin | ||
6.0.x |
Fix Released
|
Critical
|
Denis Meltsaykin | ||
6.1.x |
Fix Released
|
Critical
|
Mike Fedosin | ||
7.0.x |
Fix Released
|
Critical
|
Mike Fedosin | ||
8.0.x |
Invalid
|
Critical
|
Mike Fedosin |
Bug Description
By deleting images that are being uploaded, a malicious user can overcome the storage quota and thus may overrun the backend. Images in deleted state are not taken into account by quota and won't be effectively deleted until the upload is completed. Only Glance setups configured with user_storage_quota are affected.
CVE References
information type: | Private Security → Public Security |
no longer affects: | mos/8.0.x |
Changed in mos: | |
milestone: | 6.1 → 8.0 |
status: | Confirmed → New |
summary: |
- Glance user storage quota bypass + [Glance] Glance user storage quota bypass #1 |
tags: | added: rca-done |
tags: | added: on-automation |
tags: | added: feature-security |
To post a comment you must log in.
Aleksey Galkin, could you please verify the fix on MOS 6.1 release ISO?