[OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543)

Goutham Pacha Ravi
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=================================================================================
OSSA-2020-002: Unprivileged users can retrieve, use and manipulate
share networks
=================================================================================

:Date: March 10, 2020
:CVE: CVE-2020-9543


Affects
~~~~~~~
- - Manila: <7.4.1, >=8.0.0 <8.1.1, >=9.0.0 <9.1.1


Description
~~~~~~~~~~~
Tobias Rydberg from City Network Hosting AB reported a vulnerability
with the manila's share network APIs. An attacker can retrieve and
manipulate share networks that do not belong to them if they possess
the share network ID. By exploiting this vulnerability, they can view
and manipulate share network subnets and use the share network to
create resources such as shares and share groups.


Patches
~~~~~~~
- - https://review.opendev.org/712167 (Pike)
- - https://review.opendev.org/712166 (Queens)
- - https://review.opendev.org/712165 (Rocky)
- - https://review.opendev.org/712164 (Stein)
- - https://review.opendev.org/712163 (Train)
- - https://review.opendev.org/712158 (Ussuri)


Credits
~~~~~~~
- - Tobias Rydberg from City Network Hosting AB (CVE-2020-9543)


References
~~~~~~~~~~
- - https://launchpad.net/bugs/1861485
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9543


Notes
~~~~~
- - The stable/queens and stable/pike branches are under extended
maintenance and
  will receive no new point releases, but patches for them are provided as a
  courtesy.


- --
Goutham Pacha Ravi
PTL, OpenStack Manila
-----BEGIN PGP SIGNATURE-----

wsFcBAEBCAAGBQJeaViCAAoJEDEySBmyuw9iY1gP+wXPu81ibCHxAtEwubPT
mA4dnqL4YU9h+pElw8MAyyYAc7yN6dTK64NHdHSAVuj2BgfAKe2xrXqqTzfK
gkmVTpkYCbDH7ycbLBWD3gi+6EYKAI9E8T6kOZ47peOZUgTP3B85rrIUjYCA
MhFnzkLczbizUdnAJAycghNLIpspZ/6QO/vrOOMT9q8pSTNzoAmmdCfKxFIQ
wJRADKQruCi4Btxzi7hYaVzNPqUgLeORszGcQ40U4qbdvK3OCGfYAmnPPxBW
1qBV20fFBvfofzCjJgPnFYAF+O/eyEizDAsWVvyK6K9THiu3QnVBe8Z0wp9i
kcxKcEwU1dYb/Y38kzttYk/AyEyAXfwHaz8eEHtlwiyO/aijc2DzVnZN5YPK
vwPnORw8o8CoALkyDat9WAwaAdzcIdOhRRWDZ7ScicEReA5lPhy95vMzDX0o
2JXvnrbSMs0/Z7Lopz3dj6R/ZuyZOCxiuYqgGi0Vc/jIbLC98HTjNxbB2Kp+
fQ+tl8ZWpFXOw6WMVcD81qSt4ISGVA33r7iAih42TPL8PLTktZdEe4UIz2lu
CM7fUAtnkOK6Duhn/MbpEHuRUwWh7ydmei+wxVuu4MskX82gsUCpeKj6iy3W
7UfrbROm6ux7pOrgUgnH0LKpqO+qS8q3IhZRGJ3S9k+Y0XD2mivBe2hAapRU
KRMH
=O+Pe
-----END PGP SIGNATURE-----

_______________________________________________
OpenStack-announce mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce