CVE-2013-4354 in Image Registry And Delivery Service (glance)
Summary
by MITRE
The API before 2.1 in OpenStack Image Registry and Delivery Service (Glance) makes it easier for local users to inject images into arbitrary tenants by adding the tenant as a member of the image.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/25/2025
The vulnerability identified as CVE-2013-4354 resides within the OpenStack Image Registry and Delivery Service known as Glance, specifically affecting versions prior to 2.1. This issue represents a significant authorization flaw that undermines the multi-tenant security model that OpenStack employs to isolate different users and organizations within the same infrastructure. The vulnerability stems from improper access control mechanisms within the Glance API that fail to adequately validate tenant ownership and permissions when processing image registration requests.
The technical flaw manifests when a local user attempts to inject an image into a tenant's namespace without proper authorization. The vulnerability allows malicious actors to exploit a weakness in the API's member management functionality, where the system permits the addition of arbitrary tenants as members of images they do not own. This creates a scenario where unauthorized users can gain access to images belonging to other tenants by simply adding themselves as members, effectively bypassing the intended access controls that should prevent such cross-tenant data leakage.
From an operational perspective, this vulnerability poses a severe risk to cloud environments that rely on OpenStack Glance for image management and storage. The impact extends beyond simple data exposure to encompass potential privilege escalation and unauthorized access to sensitive tenant information. Attackers could leverage this vulnerability to access proprietary images, confidential operating system templates, or other valuable assets that should remain isolated within their respective tenant domains. The vulnerability particularly affects multi-tenant deployments where different organizations share the same cloud infrastructure but require strict isolation of their resources and data.
This vulnerability maps to CWE-284, which describes improper access control, and aligns with ATT&CK technique T1078.004 for valid accounts, as it enables unauthorized access through legitimate API endpoints. The flaw represents a critical gap in the principle of least privilege, where the system fails to enforce proper tenant isolation. Organizations implementing OpenStack solutions should consider immediate mitigation through patching to version 2.1 or later, which includes the necessary access control improvements. Additional defensive measures include implementing network segmentation, monitoring API access logs for anomalous member additions, and conducting regular security audits of image registry operations. The vulnerability highlights the importance of proper API validation and tenant isolation mechanisms in cloud environments, particularly within containerized and virtualized infrastructures where resource sharing occurs at scale.