Vulnerability identifier: #VU18664
Vulnerability risk: Low
Exploitation vector: Network
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions within "_extract_amp_image_id_by_tag" in "octavia/compute/drivers/nova_driver.py" that does not filter images and used images owned by pre-defined tenant. A remote non-privileged user can tag an image with the 'amphora' tag and set it to "public=true" to gain unauthorized access to lb-mgmt network.
Install updates from vendor's website.
Vulnerable software versions
Octavia: 0.8.0 - 0.8.1
Fixed software versions
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?