Main Vulnerability Database Vulnerabilities #VU15931

#VU15931 Information disclosure in Cinder - CVE-2017-15139

Published: November 16, 2018

Vulnerability identifier: #VU15931

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-15139

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cinder

Software vendor:
Openstack

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists due to the ScaleIO driver does not properly delete data on ScaleIO volumes using thin volumes and zero padding on certain storage volume configurations. A remote attacker can create a new volume and access sensitive information from a previously deleted ScaleIO volume.

Remediation

Install update from vendor's website.

External links

https://wiki.openstack.org/wiki/OSSN/OSSN-0084