Data Exposure in OpenStack Cinder, Glance, and Nova Due to VMDK File Manipulation
CVE-2022-47951

5.7MEDIUM

Key Information:

Vendor: Openstack
Status: Nova; Glance; Cinder
Vendor: CVE Published:; 26 January 2023

Summary

An issue within OpenStack's Cinder, Glance, and Nova components allows authenticated users to exploit specially crafted VMDK flat images. By referencing specific backing file paths, these users can potentially retrieve sensitive data stored on the server, leading to unauthorized access and data exposure risks.

References

https://launchpad.net/bugs/1996188

https://security.openstack.org/ossa/OSSA-2023-002.html

https://lists.debian.org/debian-lts-announce/2023/01/msg0...

mailing-list

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 26, 2023
Vulnerability Reserved
Dec 24, 2022