Vulnerability CVE-2020-9543

Vulnerability Name:

CVE-2020-9543 (CCN-177777)

Assigned:

2020-03-10

Published:

2020-03-10

Updated:

2020-07-14

Summary:

OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.

CVSS v3 Severity:

8.3 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
7.2 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): Low

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-276

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2020-9543

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[oss-security] 20200311 [OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543)

Source: MISC
Type: Exploit, Issue Tracking, Third Party Advisory
https://bugs.launchpad.net/manila/+bug/1861485

Source: XF
Type: UNKNOWN
openstack-cve20209543-sec-bypass(177777)

Source: CCN
Type: OSSA-2020-002
Unprivileged users can retrieve, use and manipulate share networks

Source: CONFIRM
Type: Patch, Vendor Advisory
https://security.openstack.org/ossa/OSSA-2020-002.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:openstack:manila:*:*:*:*:*:*:*:* (Version < 7.4.1)

OR cpe:/a:openstack:manila:*:*:*:*:*:*:*:* (Version >= 8.0.0 and < 8.1.1)

OR cpe:/a:openstack:manila:*:*:*:*:*:*:*:* (Version >= 9.0.0 and < 9.1.1)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20209543	V	CVE-2020-9543	2022-05-22
oval:org.opensuse.security:def:59878	P	Security update for apache2 (Important)	2022-01-12
oval:org.opensuse.security:def:60440	P	Security update for chrony (Moderate)	2021-12-22
oval:org.opensuse.security:def:59581	P	Security update for xorg-x11-server (Important)	2021-12-20
oval:org.opensuse.security:def:59577	P	Security update for bcm43xx-firmware (Important)	2021-12-13
oval:org.opensuse.security:def:59831	P	Security update for openssh (Important)	2021-12-02
oval:org.opensuse.security:def:61096	P	Security update for util-linux (Moderate)	2021-10-20
oval:org.opensuse.security:def:60371	P	Security update for hivex (Moderate)	2021-09-23
oval:org.opensuse.security:def:61606	P	minicom-2.7.1-1.19 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:61607	P	mozilla-nspr-32bit-4.20-3.3.2 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:61667	P	tftp-5.2-3.22 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:61630	P	procmail-3.22-2.34 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:63233	P	rarpd-s20161105-6.10 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:61668	P	tpm2.0-tools-3.1.2-5.30 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:63235	P	rsyslog-module-gssapi-8.33.1-3.9.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:60344	P	Security update for spectre-meltdown-checker (Moderate)	2021-08-27
oval:org.opensuse.security:def:63368	P	qemu-5.2.0-9.18 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63353	P	libvirglrenderer0-0.6.0-4.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63339	P	libfpm_pb0-1.1.1-2.29 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63340	P	libfreebl3-hmac-3.53.1-3.51.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63130	P	python3-keystoneclient-4.0.0-9.4.5 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63471	P	flac-1.3.2-3.6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63437	P	libsndfile1-32bit-1.0.28-5.5.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63423	P	graphviz-gnome-2.40.1-6.3.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63421	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63495	P	libstaroffice-0_0-0-0.0.7-7.3.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63477	P	icedtea-web-1.7.1-5.13 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63329	P	gnuplot-5.2.2-3.6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63505	P	perl-32bit-5.26.1-15.87 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63445	P	oath-toolkit-2.6.2-1.15 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62266	P	nmap-7.70-3.12.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62136	P	libXxf86dga-devel-1.1.4-1.24 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62999	P	crash-7.2.9-21.4 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62332	P	sudo-1.9.5p2-1.5 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62160	P	libjansson-devel-2.9-1.24 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63023	P	libtidy-devel-5.4.0-3.2.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62780	P	libcolord-gtk-devel-0.1.26-1.48 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62356	P	xorg-x11-devel-7.6.1-1.16 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62230	P	libtirpc-devel-1.2.6-1.131 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62072	P	file-5.32-7.11.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:59764	P	Security update for libsolv (Important)	2021-06-28
oval:org.opensuse.security:def:63529	P	bluez-cups-5.48-3.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:63532	P	dia-0.97.3-2.32 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:59744	P	Security update for the Linux Kernel (Important)	2021-06-08
oval:org.opensuse.security:def:63103	P	kernel-default-livepatch-4.12.14-23.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:60228	P	Security update for clamav (Important)	2021-04-13
oval:org.opensuse.security:def:60489	P	Security update for tomcat (Important)	2021-03-30
oval:org.opensuse.security:def:60485	P	Security update for openssl-1_1 (Important)	2021-03-25
oval:org.opensuse.security:def:60330	P	Security update for java-11-openjdk (Important)	2021-02-02
oval:org.opensuse.security:def:59448	P	Security update for MozillaFirefox (Critical)	2020-12-21
oval:org.opensuse.security:def:59442	P	Security update for mutt (Important)	2020-12-07
oval:org.opensuse.security:def:63055	P	python2-numpy-gnu-hpc-1.16.5-1.164 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63390	P	jakarta-commons-fileupload-1.1.1-2.82 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61886	P	libsqlite3-0-3.28.0-3.9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62702	P	libtag-devel-1.11.1-4.6.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61782	P	libFS-devel-1.0.7-1.22 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62562	P	libmad-devel-0.15.1b-3.16 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61759	P	grep-3.1-4.3.12 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62396	P	bluez-5.48-3.7 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63157	P	libcacard-devel-2.5.3-1.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63392	P	nodejs8-8.11.1-1.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61955	P	python3-CherryPy-18.3.0-1.31 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63617	P	gimp-2.10.12-1.100 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61799	P	libXt-devel-1.1.5-2.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62606	P	typelib-1_0-JavaScriptCore-4_0-2.24.1-3.24.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63251	P	apache2-mod_auth_openidc-2.3.8-3.7.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62464	P	libplist++-devel-2.0.0-1.31 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63154	P	guestfs-data-1.38.0-3.52 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61691	P	alsa-1.1.5-6.6.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62925	P	rpm-build-4.14.1-10.16.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63289	P	nut-2.7.4-4.72 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61862	P	libpcre2-16-0-10.31-1.14 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62678	P	libkpathsea6-6.2.3-19.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61715	P	clamav-0.100.3-3.20.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62488	P	pulseaudio-11.1-4.31 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63257	P	davfs2-1.5.4-1.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61692	P	amavisd-new-2.11.1-6.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62428	P	libXp6-32bit-1.0.3-1.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63582	P	kernel-default-extra-4.12.14-195.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61758	P	graphviz-2.40.1-6.3.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:59695	P	Security update for python-setuptools (Important)	2020-12-02
oval:org.opensuse.security:def:59284	P	Security update for freeradius-server (Moderate)	2020-12-01
oval:org.opensuse.security:def:60137	P	Security update for squid (Critical)	2020-12-01
oval:org.opensuse.security:def:60849	P	Security update for OpenStack (Moderate)	2020-12-01
oval:org.opensuse.security:def:61016	P	Security update for xorg-x11-server (Moderate)	2020-12-01
oval:org.opensuse.security:def:59395	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:60599	P	Security update for dnsmasq (Moderate)	2020-12-01
oval:org.opensuse.security:def:59018	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:60799	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:59147	P	Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60822	P	Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (Moderate)	2020-12-01
oval:org.opensuse.security:def:60935	P	Security update for nodejs6 (Important)	2020-12-01
oval:org.opensuse.security:def:59417	P	Security update for libvirt (Moderate)	2020-12-01
oval:org.opensuse.security:def:59196	P	Security update for clamav (Important)	2020-12-01
oval:org.opensuse.security:def:59929	P	Security update for python3 (Important)	2020-12-01
oval:org.opensuse.security:def:60522	P	python-libxml2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60677	P	Security update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper (Moderate)	2020-12-01
oval:org.opensuse.security:def:59040	P	Security update for dbus-1 (Important)	2020-12-01
oval:org.opensuse.security:def:59882	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60586	P	Security update for cobbler (Moderate)	2020-12-01
oval:org.opensuse.security:def:60749	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:59148	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60603	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60913	P	Security update for libssh2_org (Moderate)	2020-12-01
oval:org.opensuse.security:def:59261	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:60631	P	Security update for python-Werkzeug (Moderate)	2020-12-01
oval:org.opensuse.security:def:60973	P	Security update for nodejs6 (Critical)	2020-12-01
oval:org.opensuse.security:def:60560	P	unzip on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59328	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:60071	P	Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60670	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60828	P	Security update for openstack-manila (Important)	2020-12-01
oval:org.opensuse.security:def:59170	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:59996	P	Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60700	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60863	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:59262	P	Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60016	P	Security update for kernel-firmware (Important)	2020-12-01
oval:org.opensuse.security:def:60751	P	Security update for java-1_8_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:61066	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:59394	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:59629	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:60649	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:59017	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:60708	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:60185	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:60784	P	Security update for sane-backends (Important)	2020-12-01
oval:org.opensuse.security:def:60942	P	Security update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper (Moderate)	2020-12-01
oval:org.opensuse.security:def:88300	P	Security update for ardana-ansible, ardana-barbican, ardana-cluster, ardana-db, ardana-designate, ardana-input-model, ardana-logging, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, memcached, openstack-ceilometer, openstack-cinder, openstack-designate, openstack-heat, openstack-ironic, openstack-ironic-image, openstack-manila, openstack-neutron, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, python-cinderclient, python-glanceclient, python-ironic-lib, python-ironicclient, python-keystonemiddleware, python-manila-tempest-plugin, python-novaclient, python-octaviaclient, python-openstackclient, python-os-brick, python-oslo.config, python-oslo.rootwrap, python-oslo.utils, python-swiftclient, python-watcherclient, release-notes-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, zookeeper (Moderate)	2020-05-05
oval:org.opensuse.security:def:87996	P	Security update for ardana-ansible, ardana-barbican, ardana-cluster, ardana-db, ardana-designate, ardana-input-model, ardana-logging, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, memcached, openstack-ceilometer, openstack-cinder, openstack-designate, openstack-heat, openstack-ironic, openstack-ironic-image, openstack-manila, openstack-neutron, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, python-cinderclient, python-glanceclient, python-ironic-lib, python-ironicclient, python-keystonemiddleware, python-manila-tempest-plugin, python-novaclient, python-octaviaclient, python-openstackclient, python-os-brick, python-oslo.config, python-oslo.rootwrap, python-oslo.utils, python-swiftclient, python-watcherclient, release-notes-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, zookeeper (Moderate)	2020-05-05
oval:org.opensuse.security:def:84395	P	Security update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper (Moderate)	2020-04-22
oval:org.opensuse.security:def:83943	P	Security update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper (Moderate)	2020-04-22
oval:org.opensuse.security:def:88095	P	Security update for openstack-manila (Important)	2020-03-12
oval:com.ubuntu.bionic:def:202095430000000	V	CVE-2020-9543 on Ubuntu 18.04 LTS (bionic) - medium.	2020-03-12
oval:com.ubuntu.xenial:def:202095430000000	V	CVE-2020-9543 on Ubuntu 16.04 LTS (xenial) - medium.	2020-03-12
oval:org.opensuse.security:def:84563	P	Security update for openstack-manila (Important)	2020-03-12
oval:org.opensuse.security:def:88405	P	Security update for openstack-manila (Important)	2020-03-12
oval:org.opensuse.security:def:84108	P	Security update for openstack-manila (Important)	2020-03-12

BACK