CVE-2013-4428

Name	CVE-2013-4428
Description	OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severity	low
Debian Bugs	726478

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
glance (PTS)	jessie	2014.1.3-12+deb8u1	fixed
	stretch	2:13.0.0-4	fixed
	buster	2:17.0.0-4	fixed
	bullseye, sid	2:19.0.0-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
glance	source	(unstable)	2013.2-1			726478
glance	source	wheezy	(not affected)

[wheezy] - glance <not-affected> (does not have the download_image)