63 lines
1.3 KiB
YAML
63 lines
1.3 KiB
YAML
date: 2015-06-16
|
|
|
|
id: OSSA-2015-011
|
|
|
|
title: 'Cinder host file disclosure through qcow2 backing file'
|
|
|
|
description: 'Bastian Blank from credativ reported a vulnerability in Cinder. By
|
|
overwriting an image with a malicious qcow2 header, an authenticated
|
|
user may mislead Cinder upload-to-image action, resulting in
|
|
disclosure of any file from the Cinder server. All Cinder setups are
|
|
affected.'
|
|
|
|
errata: 'CVE-2015-1850 has been assigned to a similar issue in Nova, the correct
|
|
CVE number for Cinder is CVE-2015-1851'
|
|
|
|
affected-products:
|
|
|
|
- product: cinder
|
|
version: versions through 2014.1.4, and 2014.2 versions through 2014.2.3,
|
|
and version 2015.1.0
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2015-1851
|
|
|
|
reporters:
|
|
|
|
- name: 'Bastian Blank'
|
|
affiliation: Credativ
|
|
reported:
|
|
- CVE-2015-1851
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1415087
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
liberty:
|
|
- https://review.openstack.org/191785
|
|
|
|
kilo:
|
|
- https://review.openstack.org/191786
|
|
|
|
juno:
|
|
- https://review.openstack.org/191865
|
|
|
|
icehouse:
|
|
- https://review.openstack.org/191871
|
|
|
|
type: gerrit
|
|
|
|
notes:
|
|
- 'This fix will be included in future 2014.1.5 (icehouse),
|
|
2014.2.4 (juno) and 2015.1.1 (kilo) releases.'
|
|
|
|
errata_history:
|
|
- 2015-06-17 - Errata 1
|
|
- 2015-06-16 - Original Version
|