Main Vulnerability Database Vulnerabilities #VU15931

Information disclosure in Cinder - CVE-2017-15139

Published: November 16, 2018

Vulnerability identifier: #VU15931

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-15139

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Openstack

Affected software:
Cinder

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists due to the ScaleIO driver does not properly delete data on ScaleIO volumes using thin volumes and zero padding on certain storage volume configurations. A remote attacker can create a new volume and access sensitive information from a previously deleted ScaleIO volume.

How to mitigate CVE-2017-15139

Install update from vendor's website.

Sources

https://wiki.openstack.org/wiki/OSSN/OSSN-0084

Information disclosure in Cinder - CVE-2017-15139

Detailed vulnerability description

How to mitigate CVE-2017-15139

Sources

Please verify you're human