date: 2015-06-16

id: OSSA-2015-011

title: 'Cinder host file disclosure through qcow2 backing file'

description: 'Bastian Blank from credativ reported a vulnerability in Cinder. By
    overwriting an image with a malicious qcow2 header, an authenticated
    user may mislead Cinder upload-to-image action, resulting in
    disclosure of any file from the Cinder server. All Cinder setups are
    affected.'

errata: 'CVE-2015-1850 has been assigned to a similar issue in Nova, the correct
    CVE number for Cinder is CVE-2015-1851'

affected-products:

  - product: cinder
    version: versions through 2014.1.4, and 2014.2 versions through 2014.2.3,
             and version 2015.1.0

vulnerabilities:

  - cve-id: CVE-2015-1851

reporters:

  - name: 'Bastian Blank'
    affiliation: Credativ
    reported:
      - CVE-2015-1851

issues:

  links:
    - https://launchpad.net/bugs/1415087

  type: launchpad

reviews:

  liberty:
    - https://review.openstack.org/191785

  kilo:
    - https://review.openstack.org/191786

  juno:
    - https://review.openstack.org/191865

  icehouse:
    - https://review.openstack.org/191871

  type: gerrit

notes:
  - 'This fix will be included in future 2014.1.5 (icehouse),
     2014.2.4 (juno) and 2015.1.1 (kilo) releases.'

errata_history:
  - 2015-06-17 - Errata 1
  - 2015-06-16 - Original Version