Miggo Logo
Miggo Vulnerability Database
CVE-2015-5251

CVE-2015-5251: OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions

5.5

CVSS Score

Basic Information

CVE ID
CVE-2015-5251
GHSA ID
GHSA-q748-mcwg-xmqv
EPSS Score
0.39214%
CWE
-
Published
5/17/2022
Updated
2/13/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:N/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
glancepip< 2014.2.42014.2.4
glancepip>= 2015.1.0, < 2015.1.22015.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of the x-image-meta-status header in v1 API requests. The patch adds validation logic to the ImagesController.update() method in glance/api/v1/images.py, specifically checking if the provided status matches the current image status. This indicates that prior to the patch, the update method processed these headers without proper authorization checks, making it the entry point for the vulnerability. The function signature matches the API endpoint structure and would appear in profilers handling image update operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*nSt**k Im*** S*rvi** (*l*n**) ***or* ****.*.* (juno) *n* ****.*.x ***or* ****.*.* (kilo) *llow r*mot* *ut**nti**t** us*rs to ***n** t** st*tus o* t**ir im***s *n* *yp*ss ****ss r*stri*tions vi* t** *TTP x-im***-m*t*-st*tus *****r to im***s/*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion o* t** x-im***-m*t*-st*tus *****r in v* *PI r*qu*sts. T** p*t** ***s `v*li**tion` lo*i* to t** `Im***s*ontroll*r.up**t*()` m*t*o* in `*l*n**/*pi/v*/im***s.py`, sp**i*i**lly ****kin* i* t** provi*** st*