CVE-2017-15139
openstack-cinder: Data retained after deletion of a ScaleIO volume
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.
Se ha detectado una vulnerabilidad en las versiones de openstack-cinder hasta (e incluyendo) Queens, que permite que los volúmenes nuevos creados en ciertas configuraciones de volúmenes de almacenamiento contengan datos anteriores. Específicamente, esto afecta a los volúmenes ScaleIO que emplean volúmenes finos y un relleno de cero. Esto podría conducir al filtrado de información sensible entre inquilinos (tenants).
An information-leak flaw was found in openstack-cinder deployments using the third-party EMC ScaleIO backend. It was possible for new volumes to contain previous data if they were created from storage pools which had disabled zero-padding. An attacker could exploit this flaw to obtain sensitive information.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-10-08 CVE Reserved
- 2018-08-27 CVE Published
- 2023-08-21 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
https://wiki.openstack.org/wiki/OSSN/OSSN-0084 | Mitigation |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139 | 2023-02-03 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2018:3601 | 2023-02-03 | |
https://access.redhat.com/errata/RHSA-2019:0917 | 2023-02-03 | |
https://access.redhat.com/security/cve/CVE-2017-15139 | 2019-04-30 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1599899 | 2019-04-30 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Openstack Search vendor "Openstack" | Cinder Search vendor "Openstack" for product "Cinder" | <= 12.0.4-7 Search vendor "Openstack" for product "Cinder" and version " <= 12.0.4-7" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 10 Search vendor "Redhat" for product "Openstack" and version "10" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 13 Search vendor "Redhat" for product "Openstack" and version "13" | - |
Affected
|