openstack-cinder is vulnerable to information disclosure attacks. The vulnerability exists as the (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.
rhn.redhat.com/errata/RHSA-2014-1787.html
rhn.redhat.com/errata/RHSA-2014-1788.html
seclists.org/oss-sec/2014/q4/78
www.securityfocus.com/bid/70221
www.ubuntu.com/usn/USN-2405-1
access.redhat.com/errata/RHSA-2014:1787
access.redhat.com/errata/RHSA-2014:1788
access.redhat.com/security/cve/CVE-2014-3641
access.redhat.com/security/updates/classification/#moderate
bugs.launchpad.net/cinder/+bug/1350504
bugzilla.redhat.com/show_bug.cgi?id=1141996
bugzilla.redhat.com/show_bug.cgi?id=1149750
rhn.redhat.com/errata/RHSA-2014-1787.html
wiki.openstack.org/wiki/ReleaseNotes/2014.1.3