GCVE - cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Openstack (`7b0cf974-b2b5-592e-bdf4-6953805ef02a`)
Product	Cinder (`3623b637-0ea9-5888-89ea-2ab9a4550392`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/cinder`	purl2cpe	2026-06-01 10:17:02.649862
`pkg:deb/ubuntu/cinder`	purl2cpe	2026-06-01 10:17:02.649864
`pkg:docker/openstackhelm/cinder`	purl2cpe	2026-06-01 10:17:02.649865
`pkg:github/openstack/cinder`	purl2cpe	2026-06-01 10:17:02.649867
`pkg:pypi/cinder`	purl2cpe	2026-06-01 10:17:02.649868
`pkg:rpm/opensuse/openstack-cinder`	purl2cpe	2026-06-01 10:17:02.649870

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-32498`	vulnerable	2026-06-03 14:55:41.144404	Details available An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected. Published: 2024-07-05T00:00:00.000Z Updated: 2025-11-04T16:12:13.552Z Open on db.gcve.eu Reference links https://launchpad.net/bugs/2059809 http://www.openwall.com/lists/oss-security/2024/07/02/2 https://www.openwall.com/lists/oss-security/2024/07/02/2 https://security.openstack.org/ossa/OSSA-2024-001.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-47951`	vulnerable	2026-06-03 14:48:27.920076	Details available An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. Published: 2023-01-26T00:00:00.000Z Updated: 2025-03-31T16:49:31.493Z Open on db.gcve.eu Reference links https://launchpad.net/bugs/1996188 https://security.openstack.org/ossa/OSSA-2023-002.html https://lists.debian.org/debian-lts-announce/2023/01/msg00040.html https://lists.debian.org/debian-lts-announce/2023/01/msg00041.html https://lists.debian.org/debian-lts-announce/2023/01/msg00042.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-7231`	vulnerable	2026-06-03 14:34:15.311957	Details available The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log. Published: 2014-10-08T19:00:00.000Z Updated: 2024-08-06T12:40:19.265Z Open on db.gcve.eu Reference links http://seclists.org/oss-sec/2014/q3/853 https://exchange.xforce.ibmcloud.com/vulnerabilities/96726 http://rhn.redhat.com/errata/RHSA-2014-1939.html https://bugs.launchpad.net/oslo.utils/+bug/1345233 http://www.securityfocus.com/bid/70184	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-7230`	vulnerable	2026-06-03 14:34:15.309754	Details available The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log. Published: 2014-10-08T19:00:00.000Z Updated: 2024-08-06T12:40:19.269Z Open on db.gcve.eu Reference links http://seclists.org/oss-sec/2014/q3/853 https://exchange.xforce.ibmcloud.com/vulnerabilities/96725 http://www.securityfocus.com/bid/70185 https://bugs.launchpad.net/oslo-incubator/+bug/1343604 http://rhn.redhat.com/errata/RHSA-2014-1939.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-3641`	vulnerable	2026-06-03 14:34:00.424814	Details available The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header. Published: 2014-10-08T19:00:00.000Z Updated: 2024-08-06T10:50:17.930Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2014-1788.html http://seclists.org/oss-sec/2014/q4/78 http://www.securityfocus.com/bid/70221 http://www.ubuntu.com/usn/USN-2405-1 https://bugs.launchpad.net/cinder/+bug/1350504	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-4202`	vulnerable	2026-06-03 14:33:10.227316	Details available The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664. Published: 2013-09-16T19:00:00.000Z Updated: 2024-08-06T16:38:01.845Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2013-1198.html https://bugs.launchpad.net/ossa/+bug/1190229 http://www.ubuntu.com/usn/USN-2005-1	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.