CVE-2014-3641 – openstack-cinder: Cinder-volume host data leak to virtual machine instance
https://notcve.org/view.php?id=CVE-2014-3641
The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header. Los controladores (1) GlusterFS y (2) Linux Smbfs en OpenStack Cinder anterior a 2014.1.3 permiten a usuarios remotos autenticados obtener datos de ficheros del anfitrión Cinder-volume mediante el clonación y adjunto de un volumen con una cabecera qcow2 manipulada. • http://rhn.redhat.com/errata/RHSA-2014-1787.html http://rhn.redhat.com/errata/RHSA-2014-1788.html http://seclists.org/oss-sec/2014/q4/78 http://www.securityfocus.com/bid/70221 http://www.ubuntu.com/usn/USN-2405-1 https://bugs.launchpad.net/cinder/+bug/1350504 https://access.redhat.com/security/cve/CVE-2014-3641 https://bugzilla.redhat.com/show_bug.cgi?id=1141996 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2013-4183 – OpenStack: Cinder LVM volume driver does not support secure deletion
https://notcve.org/view.php?id=CVE-2013-4183
The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors. La función clear_volume en el driver LVMVolumeDriver en OpenStack Cinder 2013.1.1 a 2013.1.2 no limpia correctamente datos al borrar una captura, lo cual permite a usuarios locales obtener información sensible a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2013-1198.html http://www.ubuntu.com/usn/USN-2005-1 https://bugs.launchpad.net/cinder/+bug/1198185 https://access.redhat.com/security/cve/CVE-2013-4183 https://bugzilla.redhat.com/show_bug.cgi?id=994355 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2013-4202 – OpenStack: Cinder Denial of Service using XML entities
https://notcve.org/view.php?id=CVE-2013-4202
The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664. El (1) backup (api/contrib/backups.py) y (2) el APIs de transferencia de almacenamiento (contrib/volume_transfer.py) en OpenStack Cinder Grizzly 2013.1.3 y anteriores permite a atacantes remotos provocar una denegación de servicio (consumo de recursos y caída) a través de un ataque XML Entity Expansion (XEE). NOTA: esta cuestión es debido a una solución incompleta del CVE-2013-1664. • http://rhn.redhat.com/errata/RHSA-2013-1198.html http://www.ubuntu.com/usn/USN-2005-1 https://bugs.launchpad.net/ossa/+bug/1190229 https://access.redhat.com/security/cve/CVE-2013-4202 https://bugzilla.redhat.com/show_bug.cgi?id=991630 • CWE-399: Resource Management Errors •