CVE-2015-5162

HIGH

Openstack Cinder < 11.0.0 - Resource Management Error

Title source: rule

Description

The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image.

References (9)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-2923.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-2991.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0153.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0156.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0165.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0282.html

[Third Party Advisory] http://www.openwall.com/lists/oss-security/2016/10/06/8

[Exploit] https://launchpad.net/bugs/1449062

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/76849

Scores

CVSS v3 7.5

EPSS 0.0359

EPSS Percentile 87.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-399

Status draft

Affected Products (11)

openstack/cinder

openstack/cinder

openstack/cinder

openstack/glance < 11.0.0

openstack/glance

openstack/glance

openstack/nova < 12.0.3

openstack/nova

pypi/cinder < 7.0.2PyPI

pypi/glance < 14.0.0PyPI

pypi/nova < 12.0.4PyPI

Timeline

Published Oct 07, 2016

Tracked Since Feb 18, 2026