CVE-2013-4354 in Image Registry And Delivery Service (glance)info

Summary

by MITRE

The API before 2.1 in OpenStack Image Registry and Delivery Service (Glance) makes it easier for local users to inject images into arbitrary tenants by adding the tenant as a member of the image.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/25/2025

The vulnerability identified as CVE-2013-4354 resides within the OpenStack Image Registry and Delivery Service known as Glance, specifically affecting versions prior to 2.1. This issue represents a significant authorization flaw that undermines the multi-tenant security model that OpenStack employs to isolate different users and organizations within the same infrastructure. The vulnerability stems from improper access control mechanisms within the Glance API that fail to adequately validate tenant ownership and permissions when processing image registration requests.

The technical flaw manifests when a local user attempts to inject an image into a tenant's namespace without proper authorization. The vulnerability allows malicious actors to exploit a weakness in the API's member management functionality, where the system permits the addition of arbitrary tenants as members of images they do not own. This creates a scenario where unauthorized users can gain access to images belonging to other tenants by simply adding themselves as members, effectively bypassing the intended access controls that should prevent such cross-tenant data leakage.

From an operational perspective, this vulnerability poses a severe risk to cloud environments that rely on OpenStack Glance for image management and storage. The impact extends beyond simple data exposure to encompass potential privilege escalation and unauthorized access to sensitive tenant information. Attackers could leverage this vulnerability to access proprietary images, confidential operating system templates, or other valuable assets that should remain isolated within their respective tenant domains. The vulnerability particularly affects multi-tenant deployments where different organizations share the same cloud infrastructure but require strict isolation of their resources and data.

This vulnerability maps to CWE-284, which describes improper access control, and aligns with ATT&CK technique T1078.004 for valid accounts, as it enables unauthorized access through legitimate API endpoints. The flaw represents a critical gap in the principle of least privilege, where the system fails to enforce proper tenant isolation. Organizations implementing OpenStack solutions should consider immediate mitigation through patching to version 2.1 or later, which includes the necessary access control improvements. Additional defensive measures include implementing network segmentation, monitoring API access logs for anomalous member additions, and conducting regular security audits of image registry operations. The vulnerability highlights the importance of proper API validation and tenant isolation mechanisms in cloud environments, particularly within containerized and virtualized infrastructures where resource sharing occurs at scale.

Reservation

06/12/2013

Disclosure

11/23/2013

Moderation

accepted

Entry

VDB-65552

CPE

ready

EPSS

0.00338

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!