Critical: Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 security update

An update for openstack-nova is now available for Red Hat OpenStack Platform 16.2 Train. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Critical: Red Hat Security Advisory: Red Hat OpenStack Platform 17.0 security update

An update for openstack-nova is now available for Red Hat OpenStack Platform 17.0 Wallaby. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

openstack-cinder: silently access other user's volumes

A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality...

FreeBSD : py39-cinder -- insecure-credentials flaw (f767d615-01db-47e9-b4ab-07bb8d3409fd)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the f767d615-01db-47e9-b4ab-07bb8d3409fd advisory. - An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1....

FreeBSD : py-cinder -- data leak (f4a94232-7864-4afb-bbf9-ff2dc8e288d1)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the f4a94232-7864-4afb-bbf9-ff2dc8e288d1 advisory. - The 1 GlusterFS and 2 Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote...

Important: Red Hat Security Advisory: Synopsis: Red Hat OpenStack Platform (openstack-cinder) security update

An update for openstack-cinder is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerabili...

openstack: Arbitrary file access through custom VMDK flat descriptor

A flaw was found in OpenStack-nova, Openstack-glance, and Openstack-cinder. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized...

openstack: Arbitrary file access through custom VMDK flat descriptor

A flaw was found in OpenStack-nova, Openstack-glance, and Openstack-cinder. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized...

Important: Red Hat Security Advisory: Red Hat OpenStack Platform 17.0 (openstack-cinder) security update

An update for openstack-cinder is now available for Red Hat OpenStack Platform 17.0 Wallaby. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for eac...

SUSE CVE-2013-4183

The clearvolume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors...

SUSE CVE-2013-4202

The 1 backup api/contrib/backups.py and 2 volume transfer contrib/volumetransfer.py APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service resource consumption and crash via an XML Entity Expansion XEE attack. NOTE: this issue is due to an...

SUSE CVE-2014-3641

The 1 GlusterFS and 2 Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header...

SUSE CVE-2015-1851

OpenStack Cinder before 2014.1.5 icehouse, 2014.2.x before 2014.2.4 juno, and 2015.1.x before 2015.1.1 kilo allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command...

SUSE CVE-2017-15139

A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive...

SUSE CVE-2020-10755

An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleI...

Ubuntu 18.04 LTS : Nova vulnerability (USN-5835-5)

The remote Ubuntu 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5835-5 advisory. USN-5835-3 fixed vulnerabilities in Nova. This update provides the corresponding updates for Ubuntu 18.04 LTS. Tenable has extracted the preceding description blo...

Ubuntu 18.04 LTS / 20.04 LTS : Cinder vulnerability (USN-5835-4)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5835-4 advisory. USN-5835-1 fixed vulnerabilities in Cinder. This update provides the corresponding updates for Ubuntu 18.04 LTS. In addition, a regression was fixed f...

Debian DSA-5337-1 : nova - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5337 advisory. Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou discovered that missing input sanitising in the handling of VMDK images in OpenStack Compute codenamed Nov...

Debian DSA-5338-1 : cinder - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5338 advisory. Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou discovered that missing input sanitising in the handling of VMDK images in Cinder, the OpenStack block...

Debian DSA-5336-1 : glance - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5336 advisory. - An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2,...