{"id":5256,"date":"2026-03-19T17:32:12","date_gmt":"2026-03-19T16:32:12","guid":{"rendered":"https:\/\/yaook.cloud\/?page_id=5256"},"modified":"2026-03-24T09:59:51","modified_gmt":"2026-03-24T08:59:51","slug":"security-advisories-ossa-2026-004","status":"publish","type":"page","link":"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-004\/","title":{"rendered":"security-advisories\/ossa-2026-004"},"content":{"rendered":"<div data-elementor-type=\"wp-page\" data-elementor-id=\"5256\" class=\"elementor elementor-5256\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-56e0628 e-flex e-con-boxed e-con e-parent\" data-id=\"56e0628\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-050bc69 elementor-widget elementor-widget-text-editor\" data-id=\"050bc69\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h1>YAOOK Security Advisory for <span class=\"yui3-editable_text-text ellipsis\">OSSA-2026-004<\/span><\/h1><ul><li>Date: 2026-03-19<\/li><li>Upstream advisory: <a href=\"https:\/\/security.openstack.org\/ossa\/OSSA-2026-004.html\">https:\/\/security.openstack.org\/ossa\/OSSA-2026-004.html<\/a><\/li><li>Upstream bug report: <a href=\"https:\/\/bugs.launchpad.net\/glance\/+bug\/2138602\">https:\/\/bugs.launchpad.net\/glance\/+bug\/2138602<\/a><\/li><\/ul><h2>What is OSSA-2026-004 and how does it affect YAOOK?<\/h2><p>Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality By use of HTTP redirects, an authenticated user can<br \/>bypass URL validation checks and redirect to internal services.<\/p><p>Only glance image import functionality is affected. In particular, the \u201aweb-download\u2018 and \u201aglance-download\u2018 import methods are subject to this vulnerability, as is the optional (not enabled by default) \u201aovf_process\u2018 image import plugin.<\/p><h2>Is my cluster vulnerable?<\/h2><p>The following images are vulnerable:<\/p><ul><li>glance images BEFORE 1.1.156<\/li><li>Yaook versions &lt;= v1.4.0 and 1.5.0<\/li><\/ul><p>If any of these images are used in your cluster, the cluster is vulnerable.<\/p><h2 id=\"upgrading\">Upgrading<\/h2><p>A new stable release <span data-testid=\"commit-title\">1.4.1<\/span> has been published today. You can upgrade to that release simply by updating your operators.<\/p><p>Release 2.0.0 will also have this fix.<\/p><p>If you don't want to wait for the release, you can use a version override at the glance-operator (adjust the OpenStack version to the version you have deployed):<\/p><p><code>values:<br \/>\u00a0 operator:<br \/>\u00a0 \u00a0 extraEnv:<br \/>\u00a0 \u00a0 - name: YAOOK_OP_VERSIONS_OVERRIDE<br \/>\u00a0 \u00a0 \u00a0 value: |<br \/>\u00a0 \u00a0 \u00a0 \u00a0\u00a0<span class=\"line\" data-lang=\"yaml\"><span class=\"na\">registry.yaook.cloud\/yaook\/glance-2025.1<\/span><span class=\"pi\">:<\/span><\/span>\u00a0<span class=\"line\" data-lang=\"yaml\"><span class=\"na\">registry.yaook.cloud\/yaook\/glance-2025.1<\/span><span class=\"pi\">:<\/span><span class=\"s\">1.1.156<\/span><\/span><\/code><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>YAOOK Security Advisory for OSSA-2026-004 Date: 2026-03-19 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-004.html Upstream bug report: https:\/\/bugs.launchpad.net\/glance\/+bug\/2138602 What is OSSA-2026-004 and how does it affect YAOOK? Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality By use of HTTP redirects, an authenticated user canbypass URL validation checks and redirect to internal services. Only glance image import [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-5256","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>security-advisories\/ossa-2026-004 &#187; Yaook<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-004\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"security-advisories\/ossa-2026-004 &#187; Yaook\" \/>\n<meta property=\"og:description\" content=\"YAOOK Security Advisory for OSSA-2026-004 Date: 2026-03-19 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-004.html Upstream bug report: https:\/\/bugs.launchpad.net\/glance\/+bug\/2138602 What is OSSA-2026-004 and how does it affect YAOOK? Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality By use of HTTP redirects, an authenticated user canbypass URL validation checks and redirect to internal services. Only glance image import [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-004\/\" \/>\n<meta property=\"og:site_name\" content=\"Yaook\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-24T08:59:51+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-004\\\/\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-004\\\/\",\"name\":\"security-advisories\\\/ossa-2026-004 &#187; Yaook\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\"},\"datePublished\":\"2026-03-19T16:32:12+00:00\",\"dateModified\":\"2026-03-24T08:59:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-004\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-004\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-ossa-2026-004\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/yaook.cloud\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"security-advisories\\\/ossa-2026-004\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"name\":\"Yaook\",\"description\":\"The Lifecycle Management Tool for OpenStack\",\"publisher\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/yaook.cloud\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\",\"name\":\"ALASCA e.V.\",\"alternateName\":\"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"contentUrl\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"width\":512,\"height\":512,\"caption\":\"ALASCA e.V.\"},\"image\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"security-advisories\/ossa-2026-004 \u00bb Yaook","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-004\/","og_locale":"en_GB","og_type":"article","og_title":"security-advisories\/ossa-2026-004 &#187; Yaook","og_description":"YAOOK Security Advisory for OSSA-2026-004 Date: 2026-03-19 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2026-004.html Upstream bug report: https:\/\/bugs.launchpad.net\/glance\/+bug\/2138602 What is OSSA-2026-004 and how does it affect YAOOK? Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality By use of HTTP redirects, an authenticated user canbypass URL validation checks and redirect to internal services. Only glance image import [&hellip;]","og_url":"https:\/\/yaook.cloud\/en\/security-advisories-ossa-2026-004\/","og_site_name":"Yaook","article_modified_time":"2026-03-24T08:59:51+00:00","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/yaook.cloud\/security-advisories-ossa-2026-004\/","url":"https:\/\/yaook.cloud\/security-advisories-ossa-2026-004\/","name":"security-advisories\/ossa-2026-004 \u00bb Yaook","isPartOf":{"@id":"https:\/\/yaook.cloud\/#website"},"datePublished":"2026-03-19T16:32:12+00:00","dateModified":"2026-03-24T08:59:51+00:00","breadcrumb":{"@id":"https:\/\/yaook.cloud\/security-advisories-ossa-2026-004\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/yaook.cloud\/security-advisories-ossa-2026-004\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/yaook.cloud\/security-advisories-ossa-2026-004\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/yaook.cloud\/"},{"@type":"ListItem","position":2,"name":"security-advisories\/ossa-2026-004"}]},{"@type":"WebSite","@id":"https:\/\/yaook.cloud\/#website","url":"https:\/\/yaook.cloud\/","name":"Yaook","description":"The Lifecycle Management Tool for OpenStack","publisher":{"@id":"https:\/\/yaook.cloud\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/yaook.cloud\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/yaook.cloud\/#organization","name":"ALASCA e.V.","alternateName":"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.","url":"https:\/\/yaook.cloud\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/","url":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","contentUrl":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","width":512,"height":512,"caption":"ALASCA e.V."},"image":{"@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/comments?post=5256"}],"version-history":[{"count":10,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5256\/revisions"}],"predecessor-version":[{"id":5270,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5256\/revisions\/5270"}],"wp:attachment":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/media?parent=5256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}