PyPi: Cinder

CVE-2020-10755

Safety vulnerability ID: 38408

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 10, 2020 Updated at Dec 05, 2024

Scan your Python projects for vulnerabilities →

Advisory

Cinder versions 14.1.0, 15.2.0 and 16.1.0 include a fix for CVE-2020-10755: An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the 'connection_info' element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API.
https://wiki.openstack.org/wiki/OSSN/OSSN-0086

Affected package

cinder

Latest version: 25.0.0

OpenStack Block Storage

Affected versions

Fixed versions

Vulnerability changelog

An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint. Source: OpenStack project

CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10755: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10755
MISC:https://wiki.openstack.org/wiki/OSSN/OSSN-0086: https://wiki.openstack.org/wiki/OSSN/OSSN-0086

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): NONE
Availability Availability (A): NONE

CVSS v2 Details

MEDIUM 4.3

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): NONE
Availability Impact (A): NONE