Updating affected version to include recent stable release.
Title: Host file disclosure through qcow2 backing file
Reporter: Bastian Blank (credativ)
Products: Cinder and Nova
Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3, and version 2015.1.0
Description:
Bastian Blank from credativ reported a vulnerability in Cinder and Nova. By overwriting an image with a malicious qcow2 header, an authenticated user may mislead Cinder upload-to-image action, resulting in disclosure of any file from the Cinder server. A similar vulnerability in Nova can also be used by an authenticated user to trick Nova during a snapshot upload, resulting in disclosure of any file for which the Nova process user has access to. All Cinder and Nova setups are affected.
Updating affected version to include recent stable release.
Title: Host file disclosure through qcow2 backing file
Reporter: Bastian Blank (credativ)
Products: Cinder and Nova
Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3, and version 2015.1.0
Description:
Bastian Blank from credativ reported a vulnerability in Cinder and Nova. By overwriting an image with a malicious qcow2 header, an authenticated user may mislead Cinder upload-to-image action, resulting in disclosure of any file from the Cinder server. A similar vulnerability in Nova can also be used by an authenticated user to trick Nova during a snapshot upload, resulting in disclosure of any file for which the Nova process user has access to. All Cinder and Nova setups are affected.