CVE-2022-47951

An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.

References

Affected packages

Git / github.com/openstack/cinder

Affected ranges

Type

GIT

Repo

https://github.com/openstack/cinder

Events

Introduced

Last affected

20fba8389185c166cd879b797ed3548898601c9a

Introduced

Last affected

7524a44ebb13b76cf42adee0bfff4d999f8dfbb5

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "10.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "11.0"
        }
    ]
}

Type

GIT

Repo

https://github.com/openstack/nova

Events

Introduced

Fixed

a5ce4d806172f9d144633f297163e088c8ed1491

Introduced

928d3feffd674a842d4bb4348d2f0e0d7e93a8a5

Fixed

3872647092353229302919d305758f3fc777277f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "23.0.1"
        },
        {
            "introduced": "24.0.0"
        },
        {
            "fixed": "24.1.1"
        }
    ]
}

Affected versions

0.*

0.9.0

10.*

10.0.0

10.0.0.0b1

10.0.0.0b2

10.0.0.0b3

10.0.0.0rc1

10.0.0.0rc2

11.*

11.0.0

11.0.0.0b1

11.0.0.0b2

11.0.0.0b3

11.0.0.0rc1

11.0.0.0rc2

12.*

12.0.0.0b1

12.0.0.0b2

12.0.0.0b3

12.0.0.0rc1

12.0.0a0

13.*

13.0.0.0b1

13.0.0.0b2

13.0.0.0b3

13.0.0.0rc1

14.*

14.0.0.0b1

14.0.0.0b2

14.0.0.0b3

14.0.0.0rc1

15.*

15.0.0.0b1

15.0.0.0b2

15.0.0.0b3

15.0.0.0rc1

16.*

16.0.0.0b1

16.0.0.0b2

16.0.0.0b3

16.0.0.0rc1

17.*

17.0.0.0b1

17.0.0.0b2

17.0.0.0b3

17.0.0.0rc1

18.*

18.0.0.0b1

18.0.0.0b2

18.0.0.0b3

18.0.0.0rc1

19.*

19.0.0.0rc1

20.*

20.0.0.0rc1

2010.*

2010.1

2011.*

2011.1

2011.1rc1

2011.2

2011.2gamma1

2011.2rc1

2013.*

2013.1.g3

2013.1.rc1

2013.2.b1

2013.2.b2

2013.2.b3

2013.2.rc1

2014.*

2014.1.b1

2014.1.b2

2014.1.b3

2014.1.rc1

2014.2.b1

2014.2.b2

2014.2.b3

2014.2.rc1

2015.*

2015.1.0b1

2015.1.0b2

2015.1.0b3

2015.1.0rc1

21.*

21.0.0.0rc1

22.*

22.0.0

22.0.0.0rc1

23.*

23.0.0

23.0.0.0rc1

23.0.0.0rc2

24.*

24.0.0

24.0.0.0rc2

24.1.0

7.*

7.0.0.0b1

7.0.0.0b2

7.0.0.0b3

7.0.0.0rc1

7.0.0a0

8.*

8.0.0.0b1

8.0.0.0b2

8.0.0.0b3

8.0.0.0rc1

9.*

9.0.0.0b1

9.0.0.0b2

9.0.0.0b3

9.0.0.0rc1

Other

diablo-1

essex-1

folsom-1

folsom-2

folsom-3

grizzly-1

grizzly-2

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "19.1.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "20.0.0"
            },
            {
                "fixed": "20.0.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "24.1.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "25.0.0"
            },
            {
                "fixed": "25.0.2"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-47951.json"