CVE-2022-4134

2022-11-2400:12:07

redhat.com

access.redhat.com

openstack-glance

flaw

images

virtual machines

integrity

remote attacker

authenticated

mitigation

CVSS3

2.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

23.9%

JSON

A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images.

Mitigation

There are two options:
1. Manually disable the show_multiple_locations configuration setting (change it to false).
2. Keep show_multiple_locations enabled, but restrict the glance-api service from being exposed directly to end users. Refer the upstream OSSN listed in the external references section for further details.