Lucene search

[email protected]NVD:CVE-2022-47951

HistoryJan 26, 2023 - 10:15 p.m.

CVE-2022-47951

2023-01-2622:15:25

CWE-22

[email protected]

web.nvd.nist.gov

openstack

cinder

glance

nova

unauthorized access

vmdk image

sensitive data

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0.003

Percentile

66.0%

JSON

An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file’s contents from the server, resulting in unauthorized access to potentially sensitive data.

Affected configurations

Nvd

Node

openstackcinderRange≤19.1.2

openstackcinderRange20.0.0–20.0.2

openstackglanceRange<23.0.1

openstackglanceRange24.0.0–24.1.1

openstacknovaRange<24.1.2

openstacknovaRange25.0.0–25.0.2

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

VendorProductVersionCPE
openstackcinder*cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
openstackglance*cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*
openstacknova*cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openstack	cinder	*	cpe:2.3:a:openstack:cinder::::::::
openstack	glance	*	cpe:2.3:a:openstack:glance::::::::
openstack	nova	*	cpe:2.3:a:openstack:nova::::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*