CVE-2020-9543: 
Python vulnerability analysis and mitigation

OpenStack Manila versions <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 contained a vulnerability (CVE-2020-9543) that was discovered by Tobias Rydberg from City Network Hosting AB and reported on January 31, 2020. The vulnerability allowed unauthorized users to view, update, delete, or share resources that did not belong to them through a context-free lookup of a UUID (OpenStack OSSA).

The vulnerability existed in Manila's share network APIs where the database API layer lacked proper project_id verification. This security flaw allowed users with knowledge of a share network UUID to perform operations against any share network, regardless of ownership. The issue stemmed from missing project_id validation in the web API layer's interaction with the share network database API (OSS Security). The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L (NVD).

Attackers who possessed a share network ID could view and manipulate share network details, create shares and share groups on share networks belonging to other tenants, manipulate share network subnets, update share network metadata, and delete share networks. This could lead to namespace clobbering and denial of service, although Manila did not provide ways for attackers to connect to these resources for other types of damage (Launchpad Bug).

The vulnerability was patched by implementing project_only validation in the database query, ensuring that regular users could only access share networks within their authenticated project while maintaining administrator access to all share networks. Patches were provided for multiple versions: Pike, Queens, Rocky, Stein, Train, and Ussuri branches. The fix was released on March 10, 2020 (OpenStack OSSA).