-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from an insecure order of operations in the image deletion flow. The original code in glance/api/v1/images.py's delete method called safe_delete_from_backend/schedule_delayed_delete_from_backend before registry.delete_image_metadata. Since authorization checks are handled by the registry, this allowed the physical deletion to occur before permissions were validated. The fix (6ab0992) explicitly moves registry operations first, confirming the vulnerability existed in the original function's execution flow.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| glance | pip | < 11.0.0a0 | 11.0.0a0 |
A Semantic Attack on Google Gemini - Read the Latest Research