CVE-2017-15139

A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://access.redhat.com/errata/RHSA-2018:3601	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0917	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139	Issue Tracking Patch Third Party Advisory
https://wiki.openstack.org/wiki/OSSN/OSSN-0084	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:openstack:cinder:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:openstack:10:::::::*
	cpe:2.3:a:redhat:openstack:13:::::::*

History

04 Aug 2021, 17:14

Type	Values Removed	Values Added
CPE	cpe:2.3:a:redhat:openstack:13.0:::::::*	cpe:2.3:a:redhat:openstack:13:::::::*

Information

Published : 2018-08-27 17:29

Updated : 2023-12-10 12:44

NVD link : CVE-2017-15139

Mitre link : CVE-2017-15139

CVE.ORG link : CVE-2017-15139

JSON object : View

Products Affected

redhat

openstack

openstack

cinder

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2017-15139", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": true, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.4}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-08-27T17:29:00.217", "references": [{"url": "https://access.redhat.com/errata/RHSA-2018:3601", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2019:0917", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0084", "tags": ["Mitigation", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad en las versiones de openstack-cinder hasta (e incluyendo) Queens, que permite que los vol\u00famenes nuevos creados en ciertas configuraciones de vol\u00famenes de almacenamiento contengan datos anteriores. Espec\u00edficamente, esto afecta a los vol\u00famenes ScaleIO que emplean vol\u00famenes finos y un relleno de cero. Esto podr\u00eda conducir al filtrado de informaci\u00f3n sensible entre inquilinos (tenants)."}], "lastModified": "2023-02-03T02:10:56.483", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:openstack:cinder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E29F557-0E0B-445D-8969-1E1DC5F95869", "versionEndIncluding": "12.0.4-7"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA"}, {"criteria": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "704CFA1A-953E-4105-BFBE-406034B83DED"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}