-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ================================================================================= OSSA-2020-002: Unprivileged users can retrieve, use and manipulate share networks ================================================================================= :Date: March 10, 2020 :CVE: CVE-2020-9543 Affects ~~~~~~~ - - Manila: <7.4.1, >=8.0.0 <8.1.1, >=9.0.0 <9.1.1 Description ~~~~~~~~~~~ Tobias Rydberg from City Network Hosting AB reported a vulnerability with the manila's share network APIs. An attacker can retrieve and manipulate share networks that do not belong to them if they possess the share network ID. By exploiting this vulnerability, they can view and manipulate share network subnets and use the share network to create resources such as shares and share groups. Patches ~~~~~~~ - - https://review.opendev.org/712167 (Pike) - - https://review.opendev.org/712166 (Queens) - - https://review.opendev.org/712165 (Rocky) - - https://review.opendev.org/712164 (Stein) - - https://review.opendev.org/712163 (Train) - - https://review.opendev.org/712158 (Ussuri) Credits ~~~~~~~ - - Tobias Rydberg from City Network Hosting AB (CVE-2020-9543) References ~~~~~~~~~~ - - https://launchpad.net/bugs/1861485 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9543 Notes ~~~~~ - - The stable/queens and stable/pike branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy. - -- Goutham Pacha Ravi PTL, OpenStack Manila -----BEGIN PGP SIGNATURE----- wsFcBAEBCAAGBQJeaVVWAAoJEDEySBmyuw9i8c0P/Rjkr4mxbDi7GzDCLdvC 4SK31LaF92uop/t2XXnm/p2Lui/4nG6ss46ajnmsplN2D//f+/NhBC+Oa/+R 3rwEl1YFFO8NoNcpjWS+6oE66HNPEPTxSMheyfWJTjl8bmH4wL0ZGnQ+cNWM q1XhO5Qjwv58epa0IK5vRA6lfWEmZQ69/+7nf6Tyha8vuLFOpStWXj7sV0SZ j/AxvTeCu/30EH9U4E10VQ/GpHz00WuueEYUCJgOZw4jGk32238yXmuF1fBU il4PR53ZPFqb20It56t/rrr0sGB8lLui7KiBhaHFmjRK8YqwD1pqz9XAaxNq CsgbkMnR8+WsheAgMr49NeYsQ1PD6SCLBXPQGVNus/pl5bzctIaqmswPN1ey p23tREpTEjOxg9mQJLkTCKICvi0alx3Nlk9EsrSapovJk/v8BJGrjkIj8iH0 a1pAMzjcHfGpCTGO2dHBOfJs7BXL9B6Jdba9bdRTt5BRI4NHKwvM9SP9yBb6 F7UNoo8cd+pQp0EV6i8CPUTF/qWU5rqOyIr9tGTAOPm0lg8+uIOot7oZzJcu QBaKyEZu9X4OV1o5mZ68KokiVP7RWYGMGz94NV4ZMNNfmgpsxP/h2+MZCUQJ +lmMPInx5abdwMtqiyhrSQxdgLCOKlWMYXgrs7w225sjv2+LpuVltIPXGPEJ tJq+ =tXeN -----END PGP SIGNATURE-----