CVE-2016-0757

MEDIUM

OpenStack Image Service - Privilege Escalation

Title source: llm

Description

OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by removing the last location of an image.

References (3)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-0309.html

[Patch, Vendor Advisory] https://security.openstack.org/ossa/OSSA-2016-006.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/82696

Scores

CVSS v3 4.3

EPSS 0.0015

EPSS Percentile 36.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-284

Status draft

Affected Products (4)

openstack/image_registry_and_delivery_service_\(glance\)

pypi/glance < 11.0.2PyPI

Timeline

Published Apr 13, 2016

Tracked Since Feb 18, 2026