CVE-2015-1851 — cinder - security update

Description

OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.

How to fix CVE-2015-1851

To remediate CVE-2015-1851, upgrade the affected package to a fixed version below.

Debian/cinder—upgrade to 2015.1.0+2015.06.16.git26.9634b76ba5-1 or later
Debian/cinder—upgrade to 2014.1.3-11+deb8u1 or later
PyPI/cinder—upgrade to 7.0.0a0 or later

Is CVE-2015-1851 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2015.1.0+2015.06.16.git26.9634b76ba5-1
from 0, < 2014.1.3-11+deb8u1
from 0, < 7.0.0a0

References (15)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1851
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-1851
PATCHgithub.com/openstack/cinder
WEBlists.openstack.org/pipermail/openstack-announce/2015-June/000367.html
WEB