Comment 17 for bug 1135541
Revision history for this message
| Thierry Carrez (ttx) wrote Re: v1 api returns location as header for cached images | #17 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Proposed impact description. Please doublecheck in particular that only v1 is affected and only the Swift backend is affected. Is there a way to disable v1 completely to work around the issue ?
-------
Title: Backend credentials leak in Glance v1 API
Reporter: Stuart McLaren (HP)
Products: Glance
Affects: All versions
Description:
Stuart McLaren from HP reported a vulnerability in the information potentially returned to the user in Glance v1 API. If an authenticated user requests, through the v1 API, an image that is already cached, the headers returned may disclose the Glance operator's Swift credentials for that endpoint. Only setups accepting the Glance v1 API and using the single-tenant Swift store are affected.
-------