CVE-2022-47951: 
Python vulnerability analysis and mitigation

A vulnerability (CVE-2022-47951) was discovered in OpenStack components affecting Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. The vulnerability was reported by Guillaume Espanel, Pierre Libeau, Arnaud Morin, and Damien Rannou from OVH and was disclosed on January 24, 2023 (OpenStack Advisory).

The vulnerability allows an authenticated user to exploit VMDK image processing by supplying a specially crafted VMDK flat image that references a specific backing file path. The issue stems from insufficient input sanitization in the handling of VMDK images. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and high confidentiality impact (NVD).

When successfully exploited, this vulnerability allows an attacker to convince systems to return a copy of arbitrary file contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected, Glance deployments with image conversion enabled are affected, and all Nova deployments are affected (OpenStack Advisory).

The vulnerability has been patched in multiple versions of the affected OpenStack components. Updates have been released for Cinder, Glance, and Nova across various OpenStack releases including Train, Ussuri, Victoria, Wallaby, Xena, Yoga, and Zed. Organizations are strongly recommended to upgrade to the fixed versions. For Debian users, fixed packages have been released in security updates DSA-5336-1 (Glance), DSA-5337-1 (Nova), and DSA-5338-1 (Cinder) (Debian Security, OpenStack Advisory).