CVE-2020-10755
First published: Wed Jun 10 2020(Updated: )
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint. Source: OpenStack project
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/os-brick | >=3.0.0<3.0.2 | 3.0.2 |
| pip/os-brick | >=2.10.0<2.10.4 | 2.10.4 |
| pip/os-brick | >=2.8.0<2.8.6 | 2.8.6 |
| pip/cinder | >=16.0.0<16.1.0 | 16.1.0 |
| pip/cinder | >=15.0.0<15.2.0 | 15.2.0 |
| pip/cinder | >=14.0.0<14.1.0 | 14.1.0 |
| debian/cinder | 2:17.0.1-1+deb11u1 2:17.4.0-1~deb11u2 2:21.3.1-1~deb12u1 2:25.0.0-1 | |
| debian/python-os-brick | 4.0.1-2 6.1.0-3 6.9.0-2 | |
| Red Hat OpenStack Cinder | <14.1.0 | |
| Red Hat OpenStack Cinder | >=15.0.0<15.2.0 | |
| Red Hat OpenStack Cinder | >=16.0.0<16.1.0 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10755
- https://usn.ubuntu.com/4420-1/
- https://wiki.openstack.org/wiki/OSSN/OSSN-0086
- https://launchpad.net/bugs/cve/CVE-2020-10755
- https://nvd.nist.gov/vuln/detail/CVE-2020-10755
- https://github.com/openstack/cinder/commit/ba785eef5f515b869c0d68016e84bb74f76ab45e
- https://github.com/openstack/os-brick/commit/4047948f1ac8055a025972ad73ec3ec421450775
- https://bugs.launchpad.net/cinder/+bug/1823200
- https://github.com/advisories/GHSA-v3m2-pg96-w33m (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2020-10755
- https://github.com/pypa/advisory-database/tree/main/vulns/cinder/PYSEC-2020-228.yaml
- https://usn.ubuntu.com/4420-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10755
- https://ubuntu.com/security/CVE-2020-10755
- agent/author
- agent/type
- agent/severity
- agent/weakness
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-v3m2-pg96-w33m
- alias/CVE-2020-10755
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/first-publish-date
- agent/description
- agent/event
- collector/github-advisory
- collector/security-tracker-debian
- source/Debian
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- package-manager/debian
- vendor/redhat
- canonical/red hat openstack cinder
- version/red hat openstack cinder/15.0.0
- version/red hat openstack cinder/16.0.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04