Main Vulnerability Database Vulnerabilities #VU41231

Information disclosure in Cinder - CVE-2014-3641

Published: October 8, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41231

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2014-3641

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Openstack

Affected software:
Cinder

Detailed vulnerability description

The vulnerability allows a remote #AU# to gain access to sensitive information.

The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.

How to mitigate CVE-2014-3641

Install update from vendor's website.

Sources

http://rhn.redhat.com/errata/RHSA-2014-1787.html
http://rhn.redhat.com/errata/RHSA-2014-1788.html
http://seclists.org/oss-sec/2014/q4/78
http://www.securityfocus.com/bid/70221
http://www.ubuntu.com/usn/USN-2405-1
https://bugs.launchpad.net/cinder/+bug/1350504

Information disclosure in Cinder - CVE-2014-3641

Detailed vulnerability description

How to mitigate CVE-2014-3641

Sources

Please verify you're human