CVE-2022-47951

Name of the Vulnerable Software and Affected Versions OpenStack Cinder versions prior to 19.1.2 OpenStack Cinder versions 20.x prior to 20.0.2 OpenStack Cinder version 21.0.0 OpenStack Glance versions prior to 23.0.1 OpenStack Glance versions 24.x prior to 24.1.1 OpenStack Glance version 25.0.0 OpenStack Nova versions prior to 24.1.2 OpenStack Nova versions 25.x prior to 25.0.2 OpenStack Nova version 26.0.0

Description The issue is related to the use of files and directories accessible to external parties in OpenStack Cinder. An authenticated user can exploit this by supplying a specially created VMDK flat image that references a specific backing file path, allowing them to convince systems to return a copy of that file's contents from the server. This results in unauthorized access to potentially sensitive data.

Recommendations For OpenStack Cinder versions prior to 19.1.2, update to version 19.1.2 or later. For OpenStack Cinder versions 20.x prior to 20.0.2, update to version 20.0.2 or later. For OpenStack Cinder version 21.0.0, update to a version later than 21.0.0. For OpenStack Glance versions prior to 23.0.1, update to version 23.0.1 or later. For OpenStack Glance versions 24.x prior to 24.1.1, update to version 24.1.1 or later. For OpenStack Glance version 25.0.0, update to a version later than 25.0.0. For OpenStack Nova versions prior to 24.1.2, update to version 24.1.2 or later. For OpenStack Nova versions 25.x prior to 25.0.2, update to version 25.0.2 or later. For OpenStack Nova version 26.0.0, update to a version later than 26.0.0. As a temporary workaround, consider restricting access to the VMDK image upload feature until a patch is available.