CVE-2015-1851: OpenStack Cinder file disclosure in image convert

May 17, 2022 (updated May 14, 2024)

OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.

References

bugs.launchpad.net/cinder/+bug/1415087
github.com/advisories/GHSA-9hcj-h2qc-689p
github.com/openstack/cinder
github.com/openstack/cinder/commit/9634b76ba5886d6c2f2128d550cb005dabf48213
github.com/openstack/cinder/commit/b1143ee45323e63b965a3710f9063e65b252c978
github.com/openstack/cinder/commit/bc0549e08b010edb863d409d80114aa78d317a61
github.com/openstack/cinder/commit/d31c937c566005dedf41a60c6b5bd5e7b26f221b
nvd.nist.gov/vuln/detail/CVE-2015-1851

Detect and mitigate CVE-2015-1851 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →