Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS03aDc1LWh3eHgtcXBnY84AAxNS

Moderate EPSS: 0.00482% (0.63804 Percentile) EPSS:
Permalink JSON

OpenStack Cinder, glance, and Nova vulnerable to Path Traversal

Affected Packages Affected Versions Fixed Versions
pypi:nova >= 25.0.0, < 25.0.2, < 24.1.2 25.0.2, 24.1.2
0 Dependent packages
40 Dependent repositories
3,743 Downloads last month

Affected Version Ranges

All affected versions

15.1.5, 16.1.6, 16.1.7, 16.1.8, 17.0.7, 17.0.8, 17.0.9, 17.0.10, 17.0.11, 17.0.12, 17.0.13, 18.0.2, 18.0.3, 18.1.0, 18.2.0, 18.2.1, 18.2.2, 18.2.3, 18.3.0, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.2.0, 19.3.0, 19.3.1, 19.3.2, 20.0.0, 20.0.1, 20.1.0, 20.1.1, 20.2.0, 20.3.0, 20.4.0, 20.4.1, 20.5.0, 20.6.0, 20.6.1, 21.0.0, 21.1.0, 21.1.1, 21.1.2, 21.2.0, 21.2.1, 21.2.2, 21.2.3, 21.2.4, 22.0.0, 22.0.1, 22.1.0, 22.2.0, 22.2.1, 22.2.2, 22.3.0, 22.4.0, 23.0.0, 23.0.1, 23.0.2, 23.1.0, 23.2.0, 23.2.1, 23.2.2, 24.0.0, 24.1.0, 24.1.1, 25.0.0, 25.0.1

All unaffected versions

24.2.0, 24.2.1, 25.1.0, 25.1.1, 25.2.0, 25.2.1, 25.3.0, 26.0.0, 26.1.0, 26.1.1, 26.2.0, 26.2.1, 26.2.2, 26.3.0, 27.0.0, 27.1.0, 27.2.0, 27.3.0, 27.4.0, 27.5.0, 27.5.1, 28.0.0, 28.0.1, 28.1.0, 28.2.0, 28.3.0, 28.3.1, 29.0.0, 29.0.1, 29.0.2, 29.1.0, 29.2.0, 29.2.1, 30.0.0, 31.0.0
pypi:glance >= 24.0.0, < 24.1.1, < 23.0.1 24.1.1, 23.0.1
0 Dependent packages
13 Dependent repositories
3,050 Downloads last month

Affected Version Ranges

All affected versions

15.0.2, 17.0.1, 18.0.0, 18.0.1, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.0.4, 20.0.0, 20.0.1, 20.1.0, 20.2.0, 21.0.0, 21.1.0, 22.0.0, 22.1.0, 22.1.1, 23.0.0, 24.0.0, 24.1.0

All unaffected versions

23.1.0, 24.2.0, 24.2.1, 25.0.0, 25.1.0, 26.0.0, 26.1.0, 27.0.0, 27.1.0, 27.1.1, 28.0.0, 28.0.1, 28.1.0, 29.0.0, 30.0.0
pypi:cinder >= 20.0.0, < 20.0.2, < 19.1.2 20.0.2, 19.1.2
1 Dependent packages
12 Dependent repositories
7,443 Downloads last month

Affected Version Ranges

All affected versions

10.0.8, 11.2.0, 11.2.1, 11.2.2, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8, 12.0.9, 12.0.10, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.1.0, 14.2.0, 14.2.1, 14.3.0, 14.3.1, 15.0.0, 15.0.1, 15.1.0, 15.2.0, 15.3.0, 15.4.0, 15.4.1, 15.5.0, 15.6.0, 16.0.0, 16.1.0, 16.2.0, 16.2.1, 16.3.0, 16.4.0, 16.4.1, 16.4.2, 17.0.0, 17.0.1, 17.1.0, 17.2.0, 17.3.0, 17.4.0, 18.0.0, 18.1.0, 18.2.0, 18.2.1, 19.0.0, 19.1.0, 19.1.1, 20.0.0, 20.0.1

All unaffected versions

19.2.0, 19.3.0, 20.1.0, 20.2.0, 20.3.0, 20.3.1, 20.3.2, 21.0.0, 21.1.0, 21.2.0, 21.3.0, 21.3.1, 21.3.2, 22.0.0, 22.1.0, 22.1.1, 22.1.2, 22.2.0, 22.3.0, 23.0.0, 23.1.0, 23.2.0, 23.3.0, 23.4.0, 23.5.0, 24.0.0, 24.1.0, 24.2.0, 24.3.0, 24.4.0, 25.0.0, 25.1.0, 25.2.0, 26.0.0, 26.1.0

An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.

References:

Identifiers

GHSA-7h75-hwxx-qpgc

CVE-2022-47951

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00482

EPSS Percentile: 0.63804

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 2 years ago

Updated

over 2 years ago

API

JSON