CVE-2015-1850
A flaw was found in how the OpenStack Compute (nova) service handles the qemu-img functionality during a snapshot upload. An authenticated attacker could possibly use this flaw to trick Compute into disclosing any file to which the Compute service user has access. However, it is unlikely that the code path can currently be exploited by an attacker.
Find out more about CVE-2015-1850 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Red Hat Product Security has rated this issue as having Low security impact in all supported versions of Red Hat Enterprise Linux OpenStack Platform. While this issue is present, we do not believe the code path is currently reachable in an attacker exploitable fashion.
A future update may address this flaw.
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 5.5 |
|---|---|
| Base Metrics | AV:A/AC:L/Au:S/C:C/I:N/A:N |
| Access Vector | Adjacent Network |
| Access Complexity | Low |
| Authentication | Single |
| Confidentiality Impact | Complete |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | openstack-nova | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | openstack-nova | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | openstack-nova | Will not fix |