{
  "threat_severity" : "Moderate",
  "public_date" : "2020-03-10T15:00:00Z",
  "bugzilla" : {
    "description" : "openstack-manila: User with share-network UUID  is able to show, create and delete shares",
    "id" : "1809855",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1809855"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-284",
  "details" : [ "OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.", "An access flaw was found in openstack-manila, where the API did not validate the user/project on commands. A malicious user having the UUID of a share-network could view, update, delete, or share resources that did not belong to them. Attackers could also create resources on shared networks (for example, shared file systems or groups of shares)." ],
  "acknowledgement" : "Red Hat would like to thank the OpenStack Manila project for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)",
    "release_date" : "2020-06-24T00:00:00Z",
    "advisory" : "RHSA-2020:2729",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "openstack-manila-1:6.3.2-3.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS",
    "release_date" : "2020-06-24T00:00:00Z",
    "advisory" : "RHSA-2020:2729",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "openstack-manila-1:6.3.2-3.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 15.0 (Stein)",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1326",
    "cpe" : "cpe:/a:redhat:openstack:15::el8",
    "package" : "openstack-manila-1:8.1.1-0.20200311070441.17b29e2.el8ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.0 (Train)",
    "release_date" : "2020-05-14T00:00:00Z",
    "advisory" : "RHSA-2020:2165",
    "cpe" : "cpe:/a:redhat:openstack:16::el8",
    "package" : "openstack-manila-1:9.1.2-0.20200405045746.f071a43.el8ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-manila",
    "cpe" : "cpe:/a:redhat:openstack:10"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-9543\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-9543\nhttps://security.openstack.org/ossa/OSSA-2020-002.html" ],
  "name" : "CVE-2020-9543",
  "mitigation" : {
    "value" : "There is no known mitigation for this issue, the flaw can only be resolved by applying updates.",
    "lang" : "en:us"
  },
  "csaw" : false
}