GMS-2020-725: Unauthorized File Access in glance

September 2, 2020

Versions of glance prior to 3.0.7 are vulnerable to Unauthorized File Access. The package provides a --nodot option meant to hide files and directories with names that begin with a ., such as .git but fails to hide files inside a folder that begins with ..

Recommendation

Upgrade to version 3.0.7 or later.

References

github.com/advisories/GHSA-vw7g-jq9m-3q9v
hackerone.com/reports/490379
www.npmjs.com/advisories/811

Code Behaviors & Features

Detect and mitigate GMS-2020-725 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →