Information disclosure in Openstack Icehouse

CVE-2015-1851

OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image co…

Vulnerability class: Information Disclosure

EPSS: 0.005 (66.8th percentile) — read the EPSS interpretation.

Affected products

Openstack Icehouse
Openstack Juno — versions 2014.2, 2014.2.2, 2014.2.3
Openstack Kilo — versions 2015.1.0
Canonical Ubuntu_linux — versions 15.04
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

[openstack-announce] 20150616 [OSSA 2015-011.1] Cinder host file disclosure through qcow2 backing file (CVE-2015-1851) ERRATA 1 (Vendor Advisory, mailing-list, x_refsource_MLIST)
DSA-3292 (vendor-advisory, x_refsource_DEBIAN)
[oss-security] 20150613 CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert (mailing-list, x_refsource_MLIST)
[oss-security] 20150617 Re: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1850) (mailing-list, x_refsource_MLIST)
RHSA-2015:1206 (x_refsource_REDHAT, vendor-advisory)
USN-2703-1 (x_refsource_UBUNTU, vendor-advisory)
[oss-security] 20150617 Re: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1850) (mailing-list, x_refsource_MLIST)
secalert@redhat.com (x_refsource_CONFIRM)