Insecure Credentials Exposure in OpenStack Cinder by Dell EMC
CVE-2020-10755

6.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Openstack-cinder
Vendor: CVE Published:; 10 June 2020

What is CVE-2020-10755?

An insecure-credentials flaw exists in OpenStack Cinder, impacting versions prior to 14.1.0, all 15.x.x versions before 15.2.0, and all 16.x.x versions before 16.1.0. When integrated with Dell EMC ScaleIO or VxFlex OS backend storage drivers, the flaw exposes sensitive credentials within the connection_info element during Block Storage v3 Attachments API calls. This vulnerability allows an end-user to create a volume and execute an API call to view attachment detail information, potentially revealing a username and password that could be misused to connect to another user's volume. Importantly, these credentials may also be utilized for accessing the ScaleIO or VxFlex OS Management API if an attacker identifies the Management API endpoint.

Affected Version(s)

openstack-cinder all openstack-cinder versions before openstack-cinder 14.1.0

openstack-cinder all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0

openstack-cinder all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0

References

https://wiki.openstack.org/wiki/OSSN/OSSN-0086

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10755

x_refsource_CONFIRM

https://usn.ubuntu.com/4420-1/

vendor-advisoryx_refsource_UBUNTU

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2020
Vulnerability Reserved
Mar 20, 2020

Red Hat

What is CVE-2020-10755?

Affected Version(s)

References

CVSS V3.1

Timeline