CVE-2022-47951
Publication date 27 January 2023
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
Status
Package | Ubuntu Release | Status |
---|---|---|
cinder | 24.10 oracular |
Fixed 2:21.1.0+git2023012815.c9e65529-0ubuntu1
|
24.04 LTS noble |
Fixed 2:21.1.0+git2023012815.c9e65529-0ubuntu1
|
|
22.04 LTS jammy |
Fixed 2:20.1.0-0ubuntu1
|
|
20.04 LTS focal |
Fixed 2:16.4.2-0ubuntu2.1
|
|
18.04 LTS bionic |
Fixed 2:12.0.10-0ubuntu2.2
|
|
16.04 LTS xenial |
Vulnerable
|
|
14.04 LTS trusty | Ignored end of standard support | |
glance | 24.10 oracular |
Fixed 2:26.0.0~b2+git2023012815.907c5626-0ubuntu1
|
24.04 LTS noble |
Fixed 2:26.0.0~b2+git2023012815.907c5626-0ubuntu1
|
|
22.04 LTS jammy |
Fixed 2:24.1.0-0ubuntu1.1
|
|
20.04 LTS focal |
Fixed 2:20.2.0-0ubuntu1.1
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Ignored end of standard support | |
nova | 24.10 oracular |
Fixed 3:26.1.0+git2023012815.98daf501-0ubuntu1
|
24.04 LTS noble |
Fixed 3:26.1.0+git2023012815.98daf501-0ubuntu1
|
|
22.04 LTS jammy |
Fixed 3:25.1.0-0ubuntu1
|
|
20.04 LTS focal |
Fixed 2:21.2.4-0ubuntu2.1
|
|
18.04 LTS bionic |
Fixed 2:17.0.13-0ubuntu5.2
|
|
16.04 LTS xenial |
Vulnerable
|
|
14.04 LTS trusty | Ignored end of standard support |
Notes
mdeslaur
image conversion was introduced in glance 17.0.0, so bionic and earlier are not vulnerable.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.7 · Medium |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-5835-1
- Cinder vulnerability
- 31 January 2023
- USN-5835-2
- OpenStack Glance vulnerability
- 31 January 2023
- USN-5835-3
- Nova vulnerability
- 31 January 2023
- USN-5835-4
- Cinder vulnerability
- 9 February 2023
- USN-5835-5
- Nova vulnerability
- 9 February 2023
- USN-6882-2
- Cinder regression
- 7 November 2024