CVE-2017-7200 - OpenCVE

An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Openstack	Glance

Configuration 1 [-]

cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/96988	Third Party Advisory VDB Entry
https://bugs.launchpad.net/ossn/+bug/1153614	Third Party Advisory
https://bugs.launchpad.net/ossn/+bug/1606495	Third Party Advisory
https://wiki.openstack.org/wiki/OSSN/OSSN-0078	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-03-21T06:21:00

Updated: 2017-03-22T09:57:01

Reserved: 2017-03-20T00:00:00

Link: CVE-2017-7200

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-03-21T06:59:00.227

Modified: 2017-03-30T16:39:06.280

Link: CVE-2017-7200

JSON object: View

Redhat Information

No data.

CWE

CWE-918

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-03-20T00:00:00", "descriptions": [{"lang": "en", "value": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-22T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "96988", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96988"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/ossn/+bug/1153614"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/ossn/+bug/1606495"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-7200", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "96988", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96988"}, {"name": "https://bugs.launchpad.net/ossn/+bug/1153614", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/ossn/+bug/1153614"}, {"name": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078", "refsource": "CONFIRM", "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078"}, {"name": "https://bugs.launchpad.net/ossn/+bug/1606495", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/ossn/+bug/1606495"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-7200", "datePublished": "2017-03-21T06:21:00", "dateReserved": "2017-03-20T00:00:00", "dateUpdated": "2017-03-22T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFA0356D-3F1F-4F41-9069-6DAE56268CE5", "versionEndIncluding": "mitaka", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service."}, {"lang": "es", "value": "Un problema SSRF ha sido descubierto en OpenStack Glance en versiones anteriores a Newton. La funci\u00f3n 'copy_from' de Image Service API v1 permiti\u00f3 a un atacante realizar exploraciones de puerto de red enmascaradas. Con v1, es posible crear im\u00e1genes con una URL como 'http: // localhost: 22'. Esto podr\u00eda permitir a un atacante enumerar los detalles internos de la red mientras aparezca enmascarado, ya que el an\u00e1lisis parecer\u00eda originarse del servicio Glance Image."}], "id": "CVE-2017-7200", "lastModified": "2017-03-30T16:39:06.280", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-21T06:59:00.227", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96988"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/ossn/+bug/1153614"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/ossn/+bug/1606495"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0078"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}