[OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543)

Goutham Pacha Ravi gouthampravi at gmail.com
Wed Mar 11 21:17:53 UTC 2020 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=================================================================================
OSSA-2020-002: Unprivileged users can retrieve, use and manipulate
share networks
=================================================================================

:Date: March 10, 2020
:CVE: CVE-2020-9543


Affects
~~~~~~~
- - Manila: <7.4.1, >=8.0.0 <8.1.1, >=9.0.0 <9.1.1


Description
~~~~~~~~~~~
Tobias Rydberg from City Network Hosting AB reported a vulnerability
with the manila's share network APIs. An attacker can retrieve and
manipulate share networks that do not belong to them if they possess
the share network ID. By exploiting this vulnerability, they can view
and manipulate share network subnets and use the share network to
create resources such as shares and share groups.


Patches
~~~~~~~
- - https://review.opendev.org/712167 (Pike)
- - https://review.opendev.org/712166 (Queens)
- - https://review.opendev.org/712165 (Rocky)
- - https://review.opendev.org/712164 (Stein)
- - https://review.opendev.org/712163 (Train)
- - https://review.opendev.org/712158 (Ussuri)


Credits
~~~~~~~
- - Tobias Rydberg from City Network Hosting AB (CVE-2020-9543)


References
~~~~~~~~~~
- - https://launchpad.net/bugs/1861485
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9543


Notes
~~~~~
- - The stable/queens and stable/pike branches are under extended
maintenance and
  will receive no new point releases, but patches for them are provided as a
  courtesy.

- --
Goutham Pacha Ravi
PTL, OpenStack Manila
-----BEGIN PGP SIGNATURE-----

wsFcBAEBCAAGBQJeaVVWAAoJEDEySBmyuw9i8c0P/Rjkr4mxbDi7GzDCLdvC
4SK31LaF92uop/t2XXnm/p2Lui/4nG6ss46ajnmsplN2D//f+/NhBC+Oa/+R
3rwEl1YFFO8NoNcpjWS+6oE66HNPEPTxSMheyfWJTjl8bmH4wL0ZGnQ+cNWM
q1XhO5Qjwv58epa0IK5vRA6lfWEmZQ69/+7nf6Tyha8vuLFOpStWXj7sV0SZ
j/AxvTeCu/30EH9U4E10VQ/GpHz00WuueEYUCJgOZw4jGk32238yXmuF1fBU
il4PR53ZPFqb20It56t/rrr0sGB8lLui7KiBhaHFmjRK8YqwD1pqz9XAaxNq
CsgbkMnR8+WsheAgMr49NeYsQ1PD6SCLBXPQGVNus/pl5bzctIaqmswPN1ey
p23tREpTEjOxg9mQJLkTCKICvi0alx3Nlk9EsrSapovJk/v8BJGrjkIj8iH0
a1pAMzjcHfGpCTGO2dHBOfJs7BXL9B6Jdba9bdRTt5BRI4NHKwvM9SP9yBb6
F7UNoo8cd+pQp0EV6i8CPUTF/qWU5rqOyIr9tGTAOPm0lg8+uIOot7oZzJcu
QBaKyEZu9X4OV1o5mZ68KokiVP7RWYGMGz94NV4ZMNNfmgpsxP/h2+MZCUQJ
+lmMPInx5abdwMtqiyhrSQxdgLCOKlWMYXgrs7w225sjv2+LpuVltIPXGPEJ
tJq+
=tXeN
-----END PGP SIGNATURE-----

More information about the openstack-discuss mailing list