CVE 2015-7548
OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot.
Related bugs and status
CVE-2015-7548 (Candidate) is related to these bugs:
Bug #1524274: [OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1524274 | [OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548) | OpenStack Compute (nova) | High | Fix Released | ||
1524274 | [OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548) | OpenStack Security Advisory | Critical | Fix Released | ||
1524274 | [OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548) | OpenStack Compute (nova) kilo | High | Fix Released |
Bug #1530927: [OSSA 2016-001] Nova host data leak through snapshot
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1530927 | [OSSA 2016-001] Nova host data leak through snapshot | Mirantis OpenStack | High | Fix Released | ||
1530927 | [OSSA 2016-001] Nova host data leak through snapshot | Mirantis OpenStack 8.0.x | High | Fix Released | ||
1530927 | [OSSA 2016-001] Nova host data leak through snapshot | Mirantis OpenStack 6.0.x | High | Fix Released | ||
1530927 | [OSSA 2016-001] Nova host data leak through snapshot | Mirantis OpenStack 7.0.x | High | Fix Released | ||
1530927 | [OSSA 2016-001] Nova host data leak through snapshot | Mirantis OpenStack 9.x | High | Fix Released | ||
1530927 | [OSSA 2016-001] Nova host data leak through snapshot | Mirantis OpenStack 5.1.x | High | Fix Released | ||
1530927 | [OSSA 2016-001] Nova host data leak through snapshot | Mirantis OpenStack 6.1.x | High | Fix Released |
Bug #1531938: [OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1531938 | [OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548) | Mirantis OpenStack | High | New | ||
1531938 | [OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548) | Mirantis OpenStack 7.0.x | High | New |
See the
CVE page on Mitre.org
for more details.