Vulnerability DatabaseCVE-2020-10755
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2020-10755
June 10, 2020
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the "connection_info" element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint. Source: OpenStack project
Affected Packages
os-brick (PYTHON):
Affected version(s) >=3.0.0 <3.0.2
Fix Suggestion:
Update to version 3.0.2
os-brick (PYTHON):
Affected version(s) >=2.8.0 <2.8.6
Fix Suggestion:
Update to version 2.8.6
cinder (PYTHON):
Affected version(s) >=14.0.0 <14.1.0
Fix Suggestion:
Update to version 14.1.0
cinder (PYTHON):
Affected version(s) =16.0.0 <16.1.0
Fix Suggestion:
Update to version 16.1.0
os-brick (PYTHON):
Affected version(s) >=2.10.0 <2.10.4
Fix Suggestion:
Update to version 2.10.4
cinder (PYTHON):
Affected version(s) >=15.0.0 <15.2.0
Fix Suggestion:
Update to version 15.2.0
Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (9)
https://bugs.launchpad.net/cinder/+bug/1823200
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10755
https://usn.ubuntu.com/4420-1/
https://wiki.openstack.org/wiki/OSSN/OSSN-0086
https://github.com/openstack/cinder/commit/ba785eef5f515b869c0d68016e84bb74f76ab45e
https://github.com/openstack/os-brick/commit/4047948f1ac8055a025972ad73ec3ec421450775
https://nvd.nist.gov/vuln/detail/CVE-2020-10755
https://github.com/pypa/advisory-database/tree/main/vulns/cinder/PYSEC-2020-228.yaml
https://usn.ubuntu.com/4420-1
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
4.3
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Insufficiently Protected Credentials
CWE-522
EPSS
Base Score:
0.32