Vulnerability Description
A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Cinder | <= 12.0.4-7 |
| Redhat | Openstack | 10 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2018:3601Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0917Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139Issue TrackingPatchThird Party Advisory
- https://wiki.openstack.org/wiki/OSSN/OSSN-0084MitigationThird Party Advisory
- https://access.redhat.com/errata/RHSA-2018:3601Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0917Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139Issue TrackingPatchThird Party Advisory
- https://wiki.openstack.org/wiki/OSSN/OSSN-0084MitigationThird Party Advisory
FAQ
What is CVE-2017-15139?
CVE-2017-15139 is a vulnerability with a CVSS score of 7.5 (HIGH). A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically aff...
How severe is CVE-2017-15139?
CVE-2017-15139 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-15139?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Cinder, Redhat Openstack.