CVE-2016-2140

Published: Apr 12, 2016Modified: May 6, 2026

5.3

Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk.

Affected (2)

Products: Openstack: Nova

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Openstack Nova	From 12.0.0 to 12.0.3
Openstack Nova	From 2015.1.0 to 2015.1.4

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (8)

http://www.openwall.com/lists/oss-security/2016/03/08/6

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/84277

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://bugs.launchpad.net/nova/+bug/1548450

Source: secalert@redhat.com

Third Party Advisory

https://security.openstack.org/ossa/OSSA-2016-007.html

Source: secalert@redhat.com

PatchVendor Advisory

http://www.openwall.com/lists/oss-security/2016/03/08/6

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/84277

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://bugs.launchpad.net/nova/+bug/1548450

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.openstack.org/ossa/OSSA-2016-007.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.