Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    18 vulnerabilities found for cinder by openstack

    CVE-2024-32498 (GCVE-0-2024-32498)

    Vulnerability from nvd – Published: 2024-07-05 00:00 – Updated: 2025-11-04 16:12
    VLAI
    Summary
    An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32498",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-16T15:32:53.035957Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-552",
                    "description": "CWE-552 Files or Directories Accessible to External Parties",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-30T19:50:39.398Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T16:12:13.552Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.net/bugs/2059809"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2024/07/02/2"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00016.html"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2024/07/02/2"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00017.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file\u0027s contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-23T15:16:09.036Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://launchpad.net/bugs/2059809"
            },
            {
              "name": "[oss-security] 20240702 [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2024/07/02/2"
            },
            {
              "url": "https://www.openwall.com/lists/oss-security/2024/07/02/2"
            },
            {
              "url": "https://security.openstack.org/ossa/OSSA-2024-001.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-32498",
        "datePublished": "2024-07-05T00:00:00.000Z",
        "dateReserved": "2024-04-15T00:00:00.000Z",
        "dateUpdated": "2025-11-04T16:12:13.552Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-47951 (GCVE-0-2022-47951)

    Vulnerability from nvd – Published: 2023-01-26 00:00 – Updated: 2025-03-31 16:49
    VLAI
    Summary
    An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T15:02:36.595Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.net/bugs/1996188"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.openstack.org/ossa/OSSA-2023-002.html"
              },
              {
                "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3300-1] glance security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00040.html"
              },
              {
                "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3301-1] cinder security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00041.html"
              },
              {
                "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3302-1] nova security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00042.html"
              },
              {
                "name": "DSA-5336",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5336"
              },
              {
                "name": "DSA-5338",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5338"
              },
              {
                "name": "DSA-5337",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5337"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-47951",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-31T16:49:04.998803Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-31T16:49:31.493Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file\u0027s contents from the server, resulting in unauthorized access to potentially sensitive data."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-02T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://launchpad.net/bugs/1996188"
            },
            {
              "url": "https://security.openstack.org/ossa/OSSA-2023-002.html"
            },
            {
              "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3300-1] glance security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00040.html"
            },
            {
              "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3301-1] cinder security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00041.html"
            },
            {
              "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3302-1] nova security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00042.html"
            },
            {
              "name": "DSA-5336",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5336"
            },
            {
              "name": "DSA-5338",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5338"
            },
            {
              "name": "DSA-5337",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5337"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-47951",
        "datePublished": "2023-01-26T00:00:00.000Z",
        "dateReserved": "2022-12-24T00:00:00.000Z",
        "dateUpdated": "2025-03-31T16:49:31.493Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-15139 (GCVE-0-2017-15139)

    Vulnerability from nvd – Published: 2018-08-27 17:00 – Updated: 2024-08-05 19:50
    VLAI
    Summary
    A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    OpenStack Foundation openstack-cinder Affected: up to and including Queens
    Create a notification for this product.
    Date Public
    2018-08-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:50:16.404Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0084"
              },
              {
                "name": "RHSA-2018:3601",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3601"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139"
              },
              {
                "name": "RHSA-2019:0917",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0917"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openstack-cinder",
              "vendor": "OpenStack Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "up to and including Queens"
                }
              ]
            }
          ],
          "datePublic": "2018-08-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-30T19:06:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0084"
            },
            {
              "name": "RHSA-2018:3601",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3601"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139"
            },
            {
              "name": "RHSA-2019:0917",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0917"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2017-15139",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "openstack-cinder",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "up to and including Queens"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "OpenStack Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.1/CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.openstack.org/wiki/OSSN/OSSN-0084",
                  "refsource": "MISC",
                  "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0084"
                },
                {
                  "name": "RHSA-2018:3601",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3601"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139"
                },
                {
                  "name": "RHSA-2019:0917",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0917"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-15139",
        "datePublished": "2018-08-27T17:00:00.000Z",
        "dateReserved": "2017-10-08T00:00:00.000Z",
        "dateUpdated": "2024-08-05T19:50:16.404Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2015-5162 (GCVE-0-2015-5162)

    Vulnerability from nvd – Published: 2016-10-07 14:00 – Updated: 2024-08-06 06:41
    VLAI
    Summary
    The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://launchpad.net/bugs/1449062 x_refsource_CONFIRM
    http://www.securityfocus.com/bid/76849 vdb-entryx_refsource_BID
    http://rhn.redhat.com/errata/RHSA-2017-0153.html vendor-advisoryx_refsource_REDHAT
    http://www.openwall.com/lists/oss-security/2016/10/06/8 mailing-listx_refsource_MLIST
    http://rhn.redhat.com/errata/RHSA-2016-2923.html vendor-advisoryx_refsource_REDHAT
    http://rhn.redhat.com/errata/RHSA-2016-2991.html vendor-advisoryx_refsource_REDHAT
    http://rhn.redhat.com/errata/RHSA-2017-0165.html vendor-advisoryx_refsource_REDHAT
    http://rhn.redhat.com/errata/RHSA-2017-0156.html vendor-advisoryx_refsource_REDHAT
    http://rhn.redhat.com/errata/RHSA-2017-0282.html vendor-advisoryx_refsource_REDHAT
    Date Public
    2016-10-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T06:41:07.567Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://launchpad.net/bugs/1449062"
              },
              {
                "name": "76849",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/76849"
              },
              {
                "name": "RHSA-2017:0153",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0153.html"
              },
              {
                "name": "[oss-security] 20161006 OSSA 2016-012] Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova (CVE-2015-5162)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2016/10/06/8"
              },
              {
                "name": "RHSA-2016:2923",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2016-2923.html"
              },
              {
                "name": "RHSA-2016:2991",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2016-2991.html"
              },
              {
                "name": "RHSA-2017:0165",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0165.html"
              },
              {
                "name": "RHSA-2017:0156",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0156.html"
              },
              {
                "name": "RHSA-2017:0282",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0282.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-10-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-04T19:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://launchpad.net/bugs/1449062"
            },
            {
              "name": "76849",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/76849"
            },
            {
              "name": "RHSA-2017:0153",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0153.html"
            },
            {
              "name": "[oss-security] 20161006 OSSA 2016-012] Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova (CVE-2015-5162)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/10/06/8"
            },
            {
              "name": "RHSA-2016:2923",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2923.html"
            },
            {
              "name": "RHSA-2016:2991",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2991.html"
            },
            {
              "name": "RHSA-2017:0165",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0165.html"
            },
            {
              "name": "RHSA-2017:0156",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0156.html"
            },
            {
              "name": "RHSA-2017:0282",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0282.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2015-5162",
        "datePublished": "2016-10-07T14:00:00.000Z",
        "dateReserved": "2015-07-01T00:00:00.000Z",
        "dateUpdated": "2024-08-06T06:41:07.567Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-7231 (GCVE-0-2014-7231)

    Vulnerability from nvd – Published: 2014-10-08 19:00 – Updated: 2024-08-06 12:40
    VLAI
    Summary
    The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2014-07-19 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T12:40:19.265Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://seclists.org/oss-sec/2014/q3/853"
              },
              {
                "name": "openstack-nova-cve20147231-info-disc(96726)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96726"
              },
              {
                "name": "RHSA-2014:1939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/oslo.utils/+bug/1345233"
              },
              {
                "name": "70184",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/70184"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-07-19T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-07T15:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://seclists.org/oss-sec/2014/q3/853"
            },
            {
              "name": "openstack-nova-cve20147231-info-disc(96726)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96726"
            },
            {
              "name": "RHSA-2014:1939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/oslo.utils/+bug/1345233"
            },
            {
              "name": "70184",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/70184"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2014-7231",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
                  "refsource": "MLIST",
                  "url": "http://seclists.org/oss-sec/2014/q3/853"
                },
                {
                  "name": "openstack-nova-cve20147231-info-disc(96726)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96726"
                },
                {
                  "name": "RHSA-2014:1939",
                  "refsource": "REDHAT",
                  "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
                },
                {
                  "name": "https://bugs.launchpad.net/oslo.utils/+bug/1345233",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.launchpad.net/oslo.utils/+bug/1345233"
                },
                {
                  "name": "70184",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/70184"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2014-7231",
        "datePublished": "2014-10-08T19:00:00.000Z",
        "dateReserved": "2014-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T12:40:19.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-7230 (GCVE-0-2014-7230)

    Vulnerability from nvd – Published: 2014-10-08 19:00 – Updated: 2024-08-06 12:40
    VLAI
    Summary
    The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://seclists.org/oss-sec/2014/q3/853 mailing-listx_refsource_MLIST
    https://exchange.xforce.ibmcloud.com/vulnerabilit… vdb-entryx_refsource_XF
    http://www.securityfocus.com/bid/70185 vdb-entryx_refsource_BID
    https://bugs.launchpad.net/oslo-incubator/+bug/1343604 x_refsource_CONFIRM
    http://rhn.redhat.com/errata/RHSA-2014-1939.html vendor-advisoryx_refsource_REDHAT
    http://www.ubuntu.com/usn/USN-2405-1 vendor-advisoryx_refsource_UBUNTU
    Date Public
    2014-07-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T12:40:19.269Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://seclists.org/oss-sec/2014/q3/853"
              },
              {
                "name": "openstack-cinder-cve20147230-info-disc(96725)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96725"
              },
              {
                "name": "70185",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/70185"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/oslo-incubator/+bug/1343604"
              },
              {
                "name": "RHSA-2014:1939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
              },
              {
                "name": "USN-2405-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-2405-1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-07-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-07T15:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://seclists.org/oss-sec/2014/q3/853"
            },
            {
              "name": "openstack-cinder-cve20147230-info-disc(96725)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96725"
            },
            {
              "name": "70185",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/70185"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/oslo-incubator/+bug/1343604"
            },
            {
              "name": "RHSA-2014:1939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
            },
            {
              "name": "USN-2405-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-2405-1"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2014-7230",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
                  "refsource": "MLIST",
                  "url": "http://seclists.org/oss-sec/2014/q3/853"
                },
                {
                  "name": "openstack-cinder-cve20147230-info-disc(96725)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96725"
                },
                {
                  "name": "70185",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/70185"
                },
                {
                  "name": "https://bugs.launchpad.net/oslo-incubator/+bug/1343604",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.launchpad.net/oslo-incubator/+bug/1343604"
                },
                {
                  "name": "RHSA-2014:1939",
                  "refsource": "REDHAT",
                  "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
                },
                {
                  "name": "USN-2405-1",
                  "refsource": "UBUNTU",
                  "url": "http://www.ubuntu.com/usn/USN-2405-1"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2014-7230",
        "datePublished": "2014-10-08T19:00:00.000Z",
        "dateReserved": "2014-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T12:40:19.269Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-3641 (GCVE-0-2014-3641)

    Vulnerability from nvd – Published: 2014-10-08 19:00 – Updated: 2024-08-06 10:50
    VLAI
    Summary
    The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://rhn.redhat.com/errata/RHSA-2014-1788.html vendor-advisoryx_refsource_REDHAT
    http://seclists.org/oss-sec/2014/q4/78 mailing-listx_refsource_MLIST
    http://www.securityfocus.com/bid/70221 vdb-entryx_refsource_BID
    http://www.ubuntu.com/usn/USN-2405-1 vendor-advisoryx_refsource_UBUNTU
    https://bugs.launchpad.net/cinder/+bug/1350504 x_refsource_CONFIRM
    http://rhn.redhat.com/errata/RHSA-2014-1787.html vendor-advisoryx_refsource_REDHAT
    Date Public
    2014-10-02 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T10:50:17.930Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2014:1788",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-1788.html"
              },
              {
                "name": "[oss-security] 20141002 [OSSA 2014-033] Cinder-volume host data leak to vm instance (CVE-2014-3641)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://seclists.org/oss-sec/2014/q4/78"
              },
              {
                "name": "70221",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/70221"
              },
              {
                "name": "USN-2405-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-2405-1"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/cinder/+bug/1350504"
              },
              {
                "name": "RHSA-2014:1787",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-1787.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-10-02T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2014-11-18T20:57:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2014:1788",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1788.html"
            },
            {
              "name": "[oss-security] 20141002 [OSSA 2014-033] Cinder-volume host data leak to vm instance (CVE-2014-3641)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://seclists.org/oss-sec/2014/q4/78"
            },
            {
              "name": "70221",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/70221"
            },
            {
              "name": "USN-2405-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-2405-1"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/cinder/+bug/1350504"
            },
            {
              "name": "RHSA-2014:1787",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1787.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2014-3641",
        "datePublished": "2014-10-08T19:00:00.000Z",
        "dateReserved": "2014-05-14T00:00:00.000Z",
        "dateUpdated": "2024-08-06T10:50:17.930Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-4202 (GCVE-0-2013-4202)

    Vulnerability from nvd – Published: 2013-09-16 19:00 – Updated: 2024-08-06 16:38
    VLAI
    Summary
    The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://rhn.redhat.com/errata/RHSA-2013-1198.html vendor-advisoryx_refsource_REDHAT
    https://bugs.launchpad.net/ossa/+bug/1190229 x_refsource_CONFIRM
    http://www.ubuntu.com/usn/USN-2005-1 vendor-advisoryx_refsource_UBUNTU
    Date Public
    2013-08-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T16:38:01.845Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2013:1198",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2013-1198.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/ossa/+bug/1190229"
              },
              {
                "name": "USN-2005-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-2005-1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2013-08-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.  NOTE: this issue is due to an incomplete fix for CVE-2013-1664."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-10-30T09:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2013:1198",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1198.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/ossa/+bug/1190229"
            },
            {
              "name": "USN-2005-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-2005-1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-4202",
        "datePublished": "2013-09-16T19:00:00.000Z",
        "dateReserved": "2013-06-12T00:00:00.000Z",
        "dateUpdated": "2024-08-06T16:38:01.845Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-4183 (GCVE-0-2013-4183)

    Vulnerability from nvd – Published: 2013-09-16 19:00 – Updated: 2024-08-06 16:38
    VLAI
    Summary
    The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://rhn.redhat.com/errata/RHSA-2013-1198.html vendor-advisoryx_refsource_REDHAT
    https://bugs.launchpad.net/cinder/+bug/1198185 x_refsource_CONFIRM
    http://www.ubuntu.com/usn/USN-2005-1 vendor-advisoryx_refsource_UBUNTU
    Date Public
    2013-07-05 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T16:38:01.539Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2013:1198",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2013-1198.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/cinder/+bug/1198185"
              },
              {
                "name": "USN-2005-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-2005-1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2013-07-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-10-30T09:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2013:1198",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1198.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/cinder/+bug/1198185"
            },
            {
              "name": "USN-2005-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-2005-1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-4183",
        "datePublished": "2013-09-16T19:00:00.000Z",
        "dateReserved": "2013-06-12T00:00:00.000Z",
        "dateUpdated": "2024-08-06T16:38:01.539Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32498 (GCVE-0-2024-32498)

    Vulnerability from cvelistv5 – Published: 2024-07-05 00:00 – Updated: 2025-11-04 16:12
    VLAI
    Summary
    An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32498",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-16T15:32:53.035957Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-552",
                    "description": "CWE-552 Files or Directories Accessible to External Parties",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-30T19:50:39.398Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T16:12:13.552Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.net/bugs/2059809"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2024/07/02/2"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00016.html"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2024/07/02/2"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00017.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file\u0027s contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-23T15:16:09.036Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://launchpad.net/bugs/2059809"
            },
            {
              "name": "[oss-security] 20240702 [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2024/07/02/2"
            },
            {
              "url": "https://www.openwall.com/lists/oss-security/2024/07/02/2"
            },
            {
              "url": "https://security.openstack.org/ossa/OSSA-2024-001.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-32498",
        "datePublished": "2024-07-05T00:00:00.000Z",
        "dateReserved": "2024-04-15T00:00:00.000Z",
        "dateUpdated": "2025-11-04T16:12:13.552Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-47951 (GCVE-0-2022-47951)

    Vulnerability from cvelistv5 – Published: 2023-01-26 00:00 – Updated: 2025-03-31 16:49
    VLAI
    Summary
    An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T15:02:36.595Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://launchpad.net/bugs/1996188"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.openstack.org/ossa/OSSA-2023-002.html"
              },
              {
                "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3300-1] glance security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00040.html"
              },
              {
                "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3301-1] cinder security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00041.html"
              },
              {
                "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3302-1] nova security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00042.html"
              },
              {
                "name": "DSA-5336",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5336"
              },
              {
                "name": "DSA-5338",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5338"
              },
              {
                "name": "DSA-5337",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5337"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-47951",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-31T16:49:04.998803Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-31T16:49:31.493Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file\u0027s contents from the server, resulting in unauthorized access to potentially sensitive data."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-02T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://launchpad.net/bugs/1996188"
            },
            {
              "url": "https://security.openstack.org/ossa/OSSA-2023-002.html"
            },
            {
              "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3300-1] glance security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00040.html"
            },
            {
              "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3301-1] cinder security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00041.html"
            },
            {
              "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3302-1] nova security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00042.html"
            },
            {
              "name": "DSA-5336",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5336"
            },
            {
              "name": "DSA-5338",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5338"
            },
            {
              "name": "DSA-5337",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5337"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-47951",
        "datePublished": "2023-01-26T00:00:00.000Z",
        "dateReserved": "2022-12-24T00:00:00.000Z",
        "dateUpdated": "2025-03-31T16:49:31.493Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-15139 (GCVE-0-2017-15139)

    Vulnerability from cvelistv5 – Published: 2018-08-27 17:00 – Updated: 2024-08-05 19:50
    VLAI
    Summary
    A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    OpenStack Foundation openstack-cinder Affected: up to and including Queens
    Create a notification for this product.
    Date Public
    2018-08-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:50:16.404Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0084"
              },
              {
                "name": "RHSA-2018:3601",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3601"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139"
              },
              {
                "name": "RHSA-2019:0917",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0917"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openstack-cinder",
              "vendor": "OpenStack Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "up to and including Queens"
                }
              ]
            }
          ],
          "datePublic": "2018-08-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-30T19:06:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0084"
            },
            {
              "name": "RHSA-2018:3601",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3601"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139"
            },
            {
              "name": "RHSA-2019:0917",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0917"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2017-15139",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "openstack-cinder",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "up to and including Queens"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "OpenStack Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.1/CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.openstack.org/wiki/OSSN/OSSN-0084",
                  "refsource": "MISC",
                  "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0084"
                },
                {
                  "name": "RHSA-2018:3601",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3601"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139"
                },
                {
                  "name": "RHSA-2019:0917",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0917"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-15139",
        "datePublished": "2018-08-27T17:00:00.000Z",
        "dateReserved": "2017-10-08T00:00:00.000Z",
        "dateUpdated": "2024-08-05T19:50:16.404Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2015-5162 (GCVE-0-2015-5162)

    Vulnerability from cvelistv5 – Published: 2016-10-07 14:00 – Updated: 2024-08-06 06:41
    VLAI
    Summary
    The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://launchpad.net/bugs/1449062 x_refsource_CONFIRM
    http://www.securityfocus.com/bid/76849 vdb-entryx_refsource_BID
    http://rhn.redhat.com/errata/RHSA-2017-0153.html vendor-advisoryx_refsource_REDHAT
    http://www.openwall.com/lists/oss-security/2016/10/06/8 mailing-listx_refsource_MLIST
    http://rhn.redhat.com/errata/RHSA-2016-2923.html vendor-advisoryx_refsource_REDHAT
    http://rhn.redhat.com/errata/RHSA-2016-2991.html vendor-advisoryx_refsource_REDHAT
    http://rhn.redhat.com/errata/RHSA-2017-0165.html vendor-advisoryx_refsource_REDHAT
    http://rhn.redhat.com/errata/RHSA-2017-0156.html vendor-advisoryx_refsource_REDHAT
    http://rhn.redhat.com/errata/RHSA-2017-0282.html vendor-advisoryx_refsource_REDHAT
    Date Public
    2016-10-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T06:41:07.567Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://launchpad.net/bugs/1449062"
              },
              {
                "name": "76849",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/76849"
              },
              {
                "name": "RHSA-2017:0153",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0153.html"
              },
              {
                "name": "[oss-security] 20161006 OSSA 2016-012] Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova (CVE-2015-5162)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2016/10/06/8"
              },
              {
                "name": "RHSA-2016:2923",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2016-2923.html"
              },
              {
                "name": "RHSA-2016:2991",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2016-2991.html"
              },
              {
                "name": "RHSA-2017:0165",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0165.html"
              },
              {
                "name": "RHSA-2017:0156",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0156.html"
              },
              {
                "name": "RHSA-2017:0282",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0282.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-10-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-04T19:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://launchpad.net/bugs/1449062"
            },
            {
              "name": "76849",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/76849"
            },
            {
              "name": "RHSA-2017:0153",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0153.html"
            },
            {
              "name": "[oss-security] 20161006 OSSA 2016-012] Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova (CVE-2015-5162)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/10/06/8"
            },
            {
              "name": "RHSA-2016:2923",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2923.html"
            },
            {
              "name": "RHSA-2016:2991",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2991.html"
            },
            {
              "name": "RHSA-2017:0165",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0165.html"
            },
            {
              "name": "RHSA-2017:0156",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0156.html"
            },
            {
              "name": "RHSA-2017:0282",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0282.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2015-5162",
        "datePublished": "2016-10-07T14:00:00.000Z",
        "dateReserved": "2015-07-01T00:00:00.000Z",
        "dateUpdated": "2024-08-06T06:41:07.567Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-7230 (GCVE-0-2014-7230)

    Vulnerability from cvelistv5 – Published: 2014-10-08 19:00 – Updated: 2024-08-06 12:40
    VLAI
    Summary
    The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://seclists.org/oss-sec/2014/q3/853 mailing-listx_refsource_MLIST
    https://exchange.xforce.ibmcloud.com/vulnerabilit… vdb-entryx_refsource_XF
    http://www.securityfocus.com/bid/70185 vdb-entryx_refsource_BID
    https://bugs.launchpad.net/oslo-incubator/+bug/1343604 x_refsource_CONFIRM
    http://rhn.redhat.com/errata/RHSA-2014-1939.html vendor-advisoryx_refsource_REDHAT
    http://www.ubuntu.com/usn/USN-2405-1 vendor-advisoryx_refsource_UBUNTU
    Date Public
    2014-07-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T12:40:19.269Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://seclists.org/oss-sec/2014/q3/853"
              },
              {
                "name": "openstack-cinder-cve20147230-info-disc(96725)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96725"
              },
              {
                "name": "70185",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/70185"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/oslo-incubator/+bug/1343604"
              },
              {
                "name": "RHSA-2014:1939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
              },
              {
                "name": "USN-2405-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-2405-1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-07-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-07T15:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://seclists.org/oss-sec/2014/q3/853"
            },
            {
              "name": "openstack-cinder-cve20147230-info-disc(96725)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96725"
            },
            {
              "name": "70185",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/70185"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/oslo-incubator/+bug/1343604"
            },
            {
              "name": "RHSA-2014:1939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
            },
            {
              "name": "USN-2405-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-2405-1"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2014-7230",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
                  "refsource": "MLIST",
                  "url": "http://seclists.org/oss-sec/2014/q3/853"
                },
                {
                  "name": "openstack-cinder-cve20147230-info-disc(96725)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96725"
                },
                {
                  "name": "70185",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/70185"
                },
                {
                  "name": "https://bugs.launchpad.net/oslo-incubator/+bug/1343604",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.launchpad.net/oslo-incubator/+bug/1343604"
                },
                {
                  "name": "RHSA-2014:1939",
                  "refsource": "REDHAT",
                  "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
                },
                {
                  "name": "USN-2405-1",
                  "refsource": "UBUNTU",
                  "url": "http://www.ubuntu.com/usn/USN-2405-1"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2014-7230",
        "datePublished": "2014-10-08T19:00:00.000Z",
        "dateReserved": "2014-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T12:40:19.269Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-3641 (GCVE-0-2014-3641)

    Vulnerability from cvelistv5 – Published: 2014-10-08 19:00 – Updated: 2024-08-06 10:50
    VLAI
    Summary
    The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://rhn.redhat.com/errata/RHSA-2014-1788.html vendor-advisoryx_refsource_REDHAT
    http://seclists.org/oss-sec/2014/q4/78 mailing-listx_refsource_MLIST
    http://www.securityfocus.com/bid/70221 vdb-entryx_refsource_BID
    http://www.ubuntu.com/usn/USN-2405-1 vendor-advisoryx_refsource_UBUNTU
    https://bugs.launchpad.net/cinder/+bug/1350504 x_refsource_CONFIRM
    http://rhn.redhat.com/errata/RHSA-2014-1787.html vendor-advisoryx_refsource_REDHAT
    Date Public
    2014-10-02 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T10:50:17.930Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2014:1788",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-1788.html"
              },
              {
                "name": "[oss-security] 20141002 [OSSA 2014-033] Cinder-volume host data leak to vm instance (CVE-2014-3641)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://seclists.org/oss-sec/2014/q4/78"
              },
              {
                "name": "70221",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/70221"
              },
              {
                "name": "USN-2405-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-2405-1"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/cinder/+bug/1350504"
              },
              {
                "name": "RHSA-2014:1787",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-1787.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-10-02T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2014-11-18T20:57:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2014:1788",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1788.html"
            },
            {
              "name": "[oss-security] 20141002 [OSSA 2014-033] Cinder-volume host data leak to vm instance (CVE-2014-3641)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://seclists.org/oss-sec/2014/q4/78"
            },
            {
              "name": "70221",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/70221"
            },
            {
              "name": "USN-2405-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-2405-1"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/cinder/+bug/1350504"
            },
            {
              "name": "RHSA-2014:1787",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1787.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2014-3641",
        "datePublished": "2014-10-08T19:00:00.000Z",
        "dateReserved": "2014-05-14T00:00:00.000Z",
        "dateUpdated": "2024-08-06T10:50:17.930Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-7231 (GCVE-0-2014-7231)

    Vulnerability from cvelistv5 – Published: 2014-10-08 19:00 – Updated: 2024-08-06 12:40
    VLAI
    Summary
    The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2014-07-19 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T12:40:19.265Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://seclists.org/oss-sec/2014/q3/853"
              },
              {
                "name": "openstack-nova-cve20147231-info-disc(96726)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96726"
              },
              {
                "name": "RHSA-2014:1939",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/oslo.utils/+bug/1345233"
              },
              {
                "name": "70184",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/70184"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-07-19T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-07T15:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://seclists.org/oss-sec/2014/q3/853"
            },
            {
              "name": "openstack-nova-cve20147231-info-disc(96726)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96726"
            },
            {
              "name": "RHSA-2014:1939",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/oslo.utils/+bug/1345233"
            },
            {
              "name": "70184",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/70184"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2014-7231",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove",
                  "refsource": "MLIST",
                  "url": "http://seclists.org/oss-sec/2014/q3/853"
                },
                {
                  "name": "openstack-nova-cve20147231-info-disc(96726)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96726"
                },
                {
                  "name": "RHSA-2014:1939",
                  "refsource": "REDHAT",
                  "url": "http://rhn.redhat.com/errata/RHSA-2014-1939.html"
                },
                {
                  "name": "https://bugs.launchpad.net/oslo.utils/+bug/1345233",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.launchpad.net/oslo.utils/+bug/1345233"
                },
                {
                  "name": "70184",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/70184"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2014-7231",
        "datePublished": "2014-10-08T19:00:00.000Z",
        "dateReserved": "2014-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-06T12:40:19.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-4202 (GCVE-0-2013-4202)

    Vulnerability from cvelistv5 – Published: 2013-09-16 19:00 – Updated: 2024-08-06 16:38
    VLAI
    Summary
    The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://rhn.redhat.com/errata/RHSA-2013-1198.html vendor-advisoryx_refsource_REDHAT
    https://bugs.launchpad.net/ossa/+bug/1190229 x_refsource_CONFIRM
    http://www.ubuntu.com/usn/USN-2005-1 vendor-advisoryx_refsource_UBUNTU
    Date Public
    2013-08-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T16:38:01.845Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2013:1198",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2013-1198.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/ossa/+bug/1190229"
              },
              {
                "name": "USN-2005-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-2005-1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2013-08-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.  NOTE: this issue is due to an incomplete fix for CVE-2013-1664."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-10-30T09:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2013:1198",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1198.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/ossa/+bug/1190229"
            },
            {
              "name": "USN-2005-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-2005-1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-4202",
        "datePublished": "2013-09-16T19:00:00.000Z",
        "dateReserved": "2013-06-12T00:00:00.000Z",
        "dateUpdated": "2024-08-06T16:38:01.845Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-4183 (GCVE-0-2013-4183)

    Vulnerability from cvelistv5 – Published: 2013-09-16 19:00 – Updated: 2024-08-06 16:38
    VLAI
    Summary
    The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://rhn.redhat.com/errata/RHSA-2013-1198.html vendor-advisoryx_refsource_REDHAT
    https://bugs.launchpad.net/cinder/+bug/1198185 x_refsource_CONFIRM
    http://www.ubuntu.com/usn/USN-2005-1 vendor-advisoryx_refsource_UBUNTU
    Date Public
    2013-07-05 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T16:38:01.539Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2013:1198",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2013-1198.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.launchpad.net/cinder/+bug/1198185"
              },
              {
                "name": "USN-2005-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-2005-1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2013-07-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-10-30T09:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2013:1198",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1198.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.launchpad.net/cinder/+bug/1198185"
            },
            {
              "name": "USN-2005-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-2005-1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-4183",
        "datePublished": "2013-09-16T19:00:00.000Z",
        "dateReserved": "2013-06-12T00:00:00.000Z",
        "dateUpdated": "2024-08-06T16:38:01.539Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }