CVE 2015-1851
OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.
Related bugs and status
CVE-2015-1851 (Candidate) is related to these bugs:
Bug #1415087: [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1415087 | [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851) | Cinder | High | Fix Released | ||
| 1415087 | [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851) | OpenStack Security Advisory | High | Fix Released | ||
| 1415087 | [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851) | OpenStack Compute (nova) | High | Invalid | ||
| 1415087 | [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851) | Cinder icehouse | High | Fix Released | ||
| 1415087 | [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851) | Cinder juno | High | Fix Released | ||
| 1415087 | [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851) | Cinder kilo | High | Fix Released | ||
Bug #1449062: [OSSA 2016-012] qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
Bug #1465333: Format-guessing and file disclosure in image convert (CVE-2015-1850)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1465333 | Format-guessing and file disclosure in image convert (CVE-2015-1850) | Mirantis OpenStack | Critical | Fix Released | ||
| 1465333 | Format-guessing and file disclosure in image convert (CVE-2015-1850) | Mirantis OpenStack 6.0.x | Critical | Fix Released | ||
| 1465333 | Format-guessing and file disclosure in image convert (CVE-2015-1850) | Mirantis OpenStack 5.1.x | Critical | Fix Released | ||
Bug #1481008: [SRU] OpenStack Kilo 2015.1.1 point release
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | ceilometer (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | ceilometer (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | cinder (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | cinder (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | glance (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | glance (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | heat (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | heat (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | horizon (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | horizon (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | keystone (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | keystone (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | neutron (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | neutron (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | nova (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | nova (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | neutron-fwaas (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | neutron-fwaas (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | neutron-vpnaas (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | neutron-vpnaas (Ubuntu Vivid) | Undecided | Fix Released | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | neutron-lbaas (Ubuntu) | Undecided | Invalid | ||
| 1481008 | [SRU] OpenStack Kilo 2015.1.1 point release | neutron-lbaas (Ubuntu Vivid) | Undecided | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
