OpenCVE

An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openstack	Glance

Configuration 1 [-]

cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/96988
https://bugs.launchpad.net/ossn/+bug/1153614
https://bugs.launchpad.net/ossn/+bug/1606495
https://nvd.nist.gov/vuln/detail/CVE-2017-7200
https://wiki.openstack.org/wiki/OSSN/OSSN-0078
https://www.cve.org/CVERecord?id=CVE-2017-7200

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-03-21T06:21:00

Updated: 2024-08-05T15:56:36.027Z

Reserved: 2017-03-20T00:00:00

Link: CVE-2017-7200

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-03-21T06:59:00.227

Modified: 2024-11-21T03:31:21.420

Link: CVE-2017-7200

Redhat

Severity : Moderate

Publid Date: 2017-03-15T00:00:00Z

Links: CVE-2017-7200 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-03-20T00:00:00", "descriptions": [{"lang": "en", "value": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-22T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "96988", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96988"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/ossn/+bug/1153614"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/ossn/+bug/1606495"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-7200", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "96988", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96988"}, {"name": "https://bugs.launchpad.net/ossn/+bug/1153614", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/ossn/+bug/1153614"}, {"name": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078", "refsource": "CONFIRM", "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078"}, {"name": "https://bugs.launchpad.net/ossn/+bug/1606495", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/ossn/+bug/1606495"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:56:36.027Z"}, "title": "CVE Program Container", "references": [{"name": "96988", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/96988"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/ossn/+bug/1153614"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/ossn/+bug/1606495"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-7200", "datePublished": "2017-03-21T06:21:00", "dateReserved": "2017-03-20T00:00:00", "dateUpdated": "2024-08-05T15:56:36.027Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFA0356D-3F1F-4F41-9069-6DAE56268CE5", "versionEndIncluding": "mitaka", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service."}, {"lang": "es", "value": "Un problema SSRF ha sido descubierto en OpenStack Glance en versiones anteriores a Newton. La funci\u00f3n 'copy_from' de Image Service API v1 permiti\u00f3 a un atacante realizar exploraciones de puerto de red enmascaradas. Con v1, es posible crear im\u00e1genes con una URL como 'http: // localhost: 22'. Esto podr\u00eda permitir a un atacante enumerar los detalles internos de la red mientras aparezca enmascarado, ya que el an\u00e1lisis parecer\u00eda originarse del servicio Glance Image."}], "id": "CVE-2017-7200", "lastModified": "2024-11-21T03:31:21.420", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-21T06:59:00.227", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96988"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/ossn/+bug/1153614"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/ossn/+bug/1606495"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96988"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/ossn/+bug/1153614"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/ossn/+bug/1606495"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "openstack-glance: API v1 copy_from reveals network details", "id": "1434244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434244"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.", "The copy_from feature in Image Service API v1 allows an attacker to perform masked network port scans. It is possible to create images with a URL such as 'http://localhost:22'. This could allow an attacker to enumerate internal network details while appearing masked, because the scan appears to originate from the Image Service. This is classified as a Server-Side Request Forgery (SSRF). Note: Some knowledge of the internal network might be necessary to exploit this flaw internally (apart from localhost)."], "name": "CVE-2017-7200", "package_state": [{"cpe": "cpe:/a:redhat:openstack:5::el6", "fix_state": "Will not fix", "package_name": "openstack-glance", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)"}, {"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Will not fix", "package_name": "openstack-glance", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Will not fix", "package_name": "openstack-glance", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "openstack-glance", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "openstack-glance", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2017-03-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-7200\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7200\nhttps://bugs.launchpad.net/ossn/+bug/1153614\nhttps://bugs.launchpad.net/ossn/+bug/1606495\nhttps://wiki.openstack.org/wiki/OSSN/OSSN-0078"], "statement": "Because the Image Service APIv1 was deprecated in Newton and because a workaround is possible, no fix is being made available.\nFor impacted products and the recommended mitigation, see the Knowledge Base article for this issue:\nhttps://access.redhat.com/security/vulnerabilities/2999581", "threat_severity": "Moderate"}