CVE-2020-9543 — Incorrect Default Permissions in Manila

CWE-276 — Incorrect Default Permissions CWE-284 — Improper Access Control11 documents7 sources

Severity

8.3HIGHNVD

EPSS

0.3%

top 49.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Manila

Timeline

PublishedMar 12

Latest updateFeb 13

Description

OpenStack Manila =8.0.0 =9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LExploitability: 2.8 | Impact: 5.5

Affected Packages3 packages

▶NVDopenstack/manila8.0.0 — 8.1.1+2

▶PyPIopenstack/manila8.0.0 — 8.1.1+2

▶Debianopenstack/manila< 1:9.0.0-5+3

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: security.openstack.org ↗

🔴Vulnerability Details

OSV

nova vulnerabilities↗2023-02-13

▶

GHSA

OpenStack Manila Unprivileged users can retrieve, use and manipulate share networks↗2022-05-24

▶

OSV

OpenStack Manila Unprivileged users can retrieve, use and manipulate share networks↗2022-05-24

▶

CVEList

CVE-2020-9543: OpenStack Manila =8↗2020-03-12

▶

OSV

CVE-2020-9543: OpenStack Manila =8↗2020-03-12

▶

📋Vendor Advisories

Red Hat

openstack-manila: User with share-network UUID is able to show, create and delete shares↗2020-03-10

▶

Debian

CVE-2020-9543: manila - OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to ...↗2020

▶

💬Community

Bugzilla

CVE-2020-9543 openstack-manila: User with share-network UUID is able to show, create and delete shares [openstack-rdo]↗2020-03-11

▶

Bugzilla

CVE-2020-9543 openstack-manila: User with share-network UUID is able to show, create and delete shares↗2020-03-04

▶

Bugzilla

CVE-2015-9543 openstack-nova: leak consoleauth tokens into log files↗2020-02-20

▶