{"id":"USN-5835-4","summary":"cinder vulnerability","details":"USN-5835-1 fixed vulnerabilities in Cinder. This update provides the\ncorresponding updates for Ubuntu 18.04 LTS. In addition, a regression was\nfixed for Ubuntu 20.04 LTS.\n\nOriginal advisory details:\n\n Guillaume Espanel, Pierre Libeau, Arnaud Morin, and Damien Rannou\n discovered that Cinder incorrectly handled VMDK image processing. An\n authenticated attacker could possibly supply a specially crafted VMDK flat\n image and obtain arbitrary files from the server containing sensitive\n information.\n","modified":"2026-04-27T16:19:19.159776Z","published":"2023-02-09T12:26:36Z","related":["UBUNTU-CVE-2022-47951"],"upstream":["CVE-2022-47951","UBUNTU-CVE-2022-47951"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5835-4"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-47951"}],"affected":[{"package":{"name":"cinder","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/cinder@2:12.0.10-0ubuntu2.2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:12.0.10-0ubuntu2.2"}]}],"versions":["2:11.0.0-0ubuntu2","2:11.0.0-0ubuntu3","2:12.0.0~b1-0ubuntu1","2:12.0.0~b2-0ubuntu2","2:12.0.0~rc1-0ubuntu1","2:12.0.0~rc2-0ubuntu1","2:12.0.0~rc2-0ubuntu2","2:12.0.0-0ubuntu1","2:12.0.1-0ubuntu1","2:12.0.3-0ubuntu1","2:12.0.4-0ubuntu1","2:12.0.5-0ubuntu1","2:12.0.7-0ubuntu2","2:12.0.9-0ubuntu1","2:12.0.9-0ubuntu1.2","2:12.0.10-0ubuntu1","2:12.0.10-0ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_name":"cinder-api","binary_version":"2:12.0.10-0ubuntu2.2"},{"binary_name":"cinder-backup","binary_version":"2:12.0.10-0ubuntu2.2"},{"binary_name":"cinder-common","binary_version":"2:12.0.10-0ubuntu2.2"},{"binary_name":"cinder-scheduler","binary_version":"2:12.0.10-0ubuntu2.2"},{"binary_name":"cinder-volume","binary_version":"2:12.0.10-0ubuntu2.2"},{"binary_name":"python-cinder","binary_version":"2:12.0.10-0ubuntu2.2"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5835-4.json","cves_map":{"ecosystem":"Ubuntu:18.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2022-47951"}]}}},{"package":{"name":"cinder","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/cinder@2:16.4.2-0ubuntu2.2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:16.4.2-0ubuntu2.2"}]}],"versions":["2:15.0.0-0ubuntu1","2:16.0.0~b2~git2020020407.819b4a0fc-0ubuntu1","2:16.0.0~b3~git2020032414.a0c0a9e23-0ubuntu1","2:16.0.0~b3~git2020041012.eb915e2db-0ubuntu1","2:16.0.0-0ubuntu0.20.04.1","2:16.1.0-0ubuntu1","2:16.2.0-0ubuntu1","2:16.2.1-0ubuntu1","2:16.2.1-0ubuntu2","2:16.3.0-0ubuntu1","2:16.4.0-0ubuntu1","2:16.4.1-0ubuntu1","2:16.4.2-0ubuntu2","2:16.4.2-0ubuntu2.1"],"ecosystem_specific":{"binaries":[{"binary_name":"cinder-api","binary_version":"2:16.4.2-0ubuntu2.2"},{"binary_name":"cinder-backup","binary_version":"2:16.4.2-0ubuntu2.2"},{"binary_name":"cinder-common","binary_version":"2:16.4.2-0ubuntu2.2"},{"binary_name":"cinder-scheduler","binary_version":"2:16.4.2-0ubuntu2.2"},{"binary_name":"cinder-volume","binary_version":"2:16.4.2-0ubuntu2.2"},{"binary_name":"python3-cinder","binary_version":"2:16.4.2-0ubuntu2.2"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5835-4.json","cves_map":{"ecosystem":"Ubuntu:20.04:LTS","cves":[]}}}],"schema_version":"1.7.5"}