{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-12T16:40:49", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugs.launchpad.net/manila/+bug/1861485"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.openstack.org/ossa/OSSA-2020-002.html"}, {"name": "[oss-security] 20200311 [OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/03/12/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.openwall.com/lists/oss-security/2020/03/12/1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-9543", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugs.launchpad.net/manila/+bug/1861485", "refsource": "MISC", "url": "https://bugs.launchpad.net/manila/+bug/1861485"}, {"name": "https://security.openstack.org/ossa/OSSA-2020-002.html", "refsource": "CONFIRM", "url": "https://security.openstack.org/ossa/OSSA-2020-002.html"}, {"name": "[oss-security] 20200311 [OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/03/12/1"}, {"name": "http://www.openwall.com/lists/oss-security/2020/03/12/1", "refsource": "CONFIRM", "url": "http://www.openwall.com/lists/oss-security/2020/03/12/1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:34:38.884Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.launchpad.net/manila/+bug/1861485"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.openstack.org/ossa/OSSA-2020-002.html"}, {"name": "[oss-security] 20200311 [OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/03/12/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/03/12/1"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-9543", "datePublished": "2020-03-12T16:40:20", "dateReserved": "2020-03-02T00:00:00", "dateUpdated": "2024-08-04T10:34:38.884Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:manila:*:*:*:*:*:*:*:*", "matchCriteriaId": "83E27DF7-877D-4D0E-86D7-4D4B1463B97F", "versionEndExcluding": "7.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:manila:*:*:*:*:*:*:*:*", "matchCriteriaId": "3460FC85-381C-4BFD-9EEA-CCA46FA9FDD5", "versionEndExcluding": "8.1.1", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:manila:*:*:*:*:*:*:*:*", "matchCriteriaId": "2998594D-0B58-4E08-8508-DB1E4DD35CC1", "versionEndExcluding": "9.1.1", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks."}, {"lang": "es", "value": "OpenStack Manila versiones anteriores a 7.4.1, versiones posteriores a 8.0.0 incluy\u00e9ndola y anteriores a 8.1.1, y versiones posteriores a 9.0.0 incluy\u00e9ndola y anteriores a 9.1.1, permite a atacantes visualizar, actualizar, eliminar o compartir recursos que no les pertenecen, debido a una b\u00fasqueda sin contexto de un UUID. Los atacantes tambi\u00e9n pueden crear recursos, tales como sistemas de archivos compartidos y grupos de intercambio sobre esas redes compartidas."}], "id": "CVE-2020-9543", "lastModified": "2020-07-14T17:27:47.737", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-12T17:15:11.077", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/03/12/1"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugs.launchpad.net/manila/+bug/1861485"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://security.openstack.org/ossa/OSSA-2020-002.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the OpenStack Manila project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:2729", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "openstack-manila-1:6.3.2-3.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2020-06-24T00:00:00Z"}, {"advisory": "RHSA-2020:2729", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "openstack-manila-1:6.3.2-3.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS", "release_date": "2020-06-24T00:00:00Z"}, {"advisory": "RHSA-2020:1326", "cpe": "cpe:/a:redhat:openstack:15::el8", "package": "openstack-manila-1:8.1.1-0.20200311070441.17b29e2.el8ost", "product_name": "Red Hat OpenStack Platform 15.0 (Stein)", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:2165", "cpe": "cpe:/a:redhat:openstack:16::el8", "package": "openstack-manila-1:9.1.2-0.20200405045746.f071a43.el8ost", "product_name": "Red Hat OpenStack Platform 16.0 (Train)", "release_date": "2020-05-14T00:00:00Z"}], "bugzilla": {"description": "openstack-manila: User with share-network UUID is able to show, create and delete shares", "id": "1809855", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1809855"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "status": "verified"}, "cwe": "CWE-284", "details": ["OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.", "An access flaw was found in openstack-manila, where the API did not validate the user/project on commands. A malicious user having the UUID of a share-network could view, update, delete, or share resources that did not belong to them. Attackers could also create resources on shared networks (for example, shared file systems or groups of shares)."], "mitigation": {"lang": "en:us", "value": "There is no known mitigation for this issue, the flaw can only be resolved by applying updates."}, "name": "CVE-2020-9543", "package_state": [{"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "openstack-manila", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}], "public_date": "2020-03-10T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-9543\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-9543\nhttps://security.openstack.org/ossa/OSSA-2020-002.html"], "threat_severity": "Moderate", "upstream_fix": "manila 7.4.1, manila 8.1.1, manila 9.1.1"}