Miggo Logo

CVE-2014-9623: OpenStack Glance Bypass the storage quota and Denial of service

4

CVSS Score

Basic Information

EPSS Score
0.76063%
CWE
-
Published
5/17/2022
Updated
5/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:N/I:N/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
glancepip< 11.0.0a011.0.0a0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper state handling in save/update operations. Key functions in db layer (image_update), API proxies (ImageRepoProxy.save), and upload handlers lacked 'from_state' checks to prevent quota bypass when images were deleted during 'saving' state. The patch added state-aware saving and conflict handling, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*nSt**k *l*n** ****.*.x t*rou** ****.*.*, ****.*.*, *n* **rli*r *llows r*mot* *ut**nti**t** us*rs to *yp*ss t** stor*** quot* *n* **us* * **ni*l o* s*rvi** (*isk *onsumption) *y **l*tin* *n im*** in t** s*vin* st*t*.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r st*t* **n*lin* in s*v*/up**t* op*r*tions. K*y *un*tions in ** l*y*r (im***_up**t*), *PI proxi*s (Im***R*poProxy.s*v*), *n* uplo** **n*l*rs l**k** '*rom_st*t*' ****ks to pr*v*nt quot* *yp*ss w**n im***s w*r* **l