Main Vulnerability Database SB2018111902

SB2018111902 - Red Hat update for cinder

Published: November 19, 2018 Updated: November 19, 2018

Security Bulletin ID SB2018111902

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2017-15139)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists due to the ScaleIO driver does not properly delete data on ScaleIO volumes using thin volumes and zero padding on certain storage volume configurations. A remote attacker can create a new volume and access sensitive information from a previously deleted ScaleIO volume.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2018:3601