Vulnerability Details : CVE-2015-1851
OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.
Vulnerability category: Information leak
Products affected by CVE-2015-1851
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:icehouse:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:juno:2014.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:juno:2014.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:juno:2014.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:kilo:2015.1.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-1851
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-1851
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:L/Au:S/C:C/I:N/A:N |
8.0
|
6.9
|
NIST |
CWE ids for CVE-2015-1851
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1851
-
http://www.openwall.com/lists/oss-security/2015/06/17/2
oss-security - Re: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1850)
-
http://www.openwall.com/lists/oss-security/2015/06/17/7
oss-security - Re: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1851)
-
https://bugs.launchpad.net/cinder/+bug/1415087
Bug #1415087 “[OSSA 2015-011] Format-guessing and file disclosur...” : Bugs : Cinder
-
http://www.ubuntu.com/usn/USN-2703-1
USN-2703-1: Cinder vulnerability | Ubuntu security notices
-
http://www.debian.org/security/2015/dsa-3292
Debian -- Security Information -- DSA-3292-1 cinder
-
http://www.openwall.com/lists/oss-security/2015/06/13/1
oss-security - CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert
-
http://rhn.redhat.com/errata/RHSA-2015-1206.html
RHSA-2015:1206 - Security Advisory - Red Hat Customer Portal
-
http://lists.openstack.org/pipermail/openstack-announce/2015-June/000367.html
OpenStack Open Source Cloud Computing Software » Message: [openstack-announce] [OSSA 2015-011.1] Cinder host file disclosure through qcow2 backing file (CVE-2015-1851) ERRATA 1Vendor Advisory
Jump to