First published: Tue Jan 24 2023(Updated: )
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
OpenStack Cinder | <=19.1.2 | |
OpenStack Cinder | >=20.0.0<20.0.2 | |
OpenStack Glance | <23.0.1 | |
OpenStack Glance | >=24.0.0<24.1.1 | |
OpenStack Nova | <24.1.2 | |
OpenStack Nova | >=25.0.0<25.0.2 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
debian/cinder | 2:17.0.1-1+deb11u1 2:17.4.0-1~deb11u2 2:21.3.1-1~deb12u1 2:25.0.0-2 2:25.0.0-3 | |
debian/glance | 2:21.0.0-2+deb11u1 2:21.1.0-1+deb11u2 2:25.1.0-2+deb12u1 2:29.0.0-2 2:29.0.0-3 | |
debian/nova | 2:22.0.1-2+deb11u1 2:22.4.0-1~deb11u5 2:26.2.2-1~deb12u3 2:30.0.0-3 2:30.0.0-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-47951 is medium with a CVSS score of 5.7.
OpenStack Cinder versions before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0 are affected by CVE-2022-47951.
To fix CVE-2022-47951, you should update to the following package versions: Cinder 2:13.0.7-1+deb10u2, 2:17.0.1-1+deb11u1, 2:21.1.0-3, and 2:23.0.0-1; Glance 2:17.0.0-5+deb10u1, 2:21.0.0-2+deb11u1, 2:25.1.0-2, and 2:27.0.0-1; Nova 2:18.1.0-6+deb10u2, 2:22.0.1-2+deb11u1, 2:26.1.0-4, and 2:28.0.0-2.
Additional information about CVE-2022-47951 can be found at the following references: [1] https://security-tracker.debian.org/tracker/CVE-2022-47951 [2] https://launchpad.net/bugs/1996188 [3] https://salsa.debian.org/openstack-team/services/glance/-/commit/4cc1d20d6a74b855fda0c73892533b0613ecac36
The Common Weakness Enumeration (CWE) ID of CVE-2022-47951 is 22.