CVE-2014-3641 — OpenStack Cinder Exposure of Sensitive Information to an Unauthorized Actor vuln

Description

The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.

How to fix CVE-2014-3641

To remediate CVE-2014-3641, upgrade the affected package to a fixed version below.

Debian/cinder—upgrade to 2014.1.3-1 or later
PyPI/cinder—upgrade to 2014.1.3 or later

Is CVE-2014-3641 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2014.1.3-1
from 0, < 2014.1.3

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3641
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3641
PATCHopendev.org/openstack/cinder
WEBrhn.redhat.com/errata/RHSA-2014-1787.html
WEB