openstack-glance is vulnerable to authorization bypass. An authorization vulnerability allowed image-status manipulation using locations. By removing the last location of an image, an authenticated user could change the status from ‘active’ to ‘queue’. A malicious tenant could exploit this flaw to silently replace owned image data, regardless of its original creator or visibility settings. Only environments with show_multiple_locations set to true (not default) were affected.
rhn.redhat.com/errata/RHSA-2016-0309.html
www.securityfocus.com/bid/82696
access.redhat.com/errata/RHSA-2016:0309
access.redhat.com/errata/RHSA-2016:0352
access.redhat.com/errata/RHSA-2016:0354
access.redhat.com/errata/RHSA-2016:0358
access.redhat.com/security/cve/CVE-2016-0757
access.redhat.com/security/updates/classification/#low
bugzilla.redhat.com/show_bug.cgi?id=1302607
rhn.redhat.com/errata/RHSA-2016-0309.html
security.openstack.org/ossa/OSSA-2016-006.html