Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint. Source: OpenStack project
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
不充分的凭证保护机制
Vulnerability Title
OpenStack openstack-cinder 安全漏洞
Vulnerability Description
OpenStack是美国国家航空航天局(National Aeronautics and Space Administration)和美国Rackspace公司合作研发的一个云平台管理项目。openstack-cinder是其中的一个块存储服务。 OpenStack openstack-cinder 14.1.0之前版本、15.2.0之前的15.x.x版本和16.1.0之前的16.x.x版本中存在安全漏洞。攻击者可利用该漏洞创建卷,进行API调用以显示附件详细信息,以及检索可用于连接到其他用户卷的用户名和
CVSS Information
N/A
Vulnerability Type
N/A