CVE-2020-9543

Advisory

OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks. See: CVE-2020-9543.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.


CONFIRM:http://www.openwall.com/lists/oss-security/2020/03/12/1: http://www.openwall.com/lists/oss-security/2020/03/12/1
CONFIRM:https://security.openstack.org/ossa/OSSA-2020-002.html: https://security.openstack.org/ossa/OSSA-2020-002.html
MISC:https://bugs.launchpad.net/manila/+bug/1861485: https://bugs.launchpad.net/manila/+bug/1861485
MLIST:[oss-security] 20200311 [OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543): http://www.openwall.com/lists/oss-security/2020/03/12/1

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9543
• https://bugs.launchpad.net/manila/+bug/1861485
• http://www.openwall.com/lists/oss-security/2020/03/12/1
• https://security.openstack.org/ossa/OSSA-2020-002.html