High severityNVD Advisory· Published Jun 10, 2020· Updated Aug 4, 2024

CVE-2020-10755

Description

An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the `connection_info` element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint. Source: OpenStack project

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenStack Cinder exposes Dell EMC ScaleIO/VxFlex OS backend credentials in the Block Storage v3 Attachments API, allowing any tenant to retrieve valid management credentials.

Vulnerability

Overview

An insecure-credentials flaw in OpenStack Cinder, affecting all versions before 14.1.0, 15.x.x before 15.2.0, and 16.x.x before 16.1.0, exposes backend storage driver credentials when using the Dell EMC ScaleIO or VxFlex OS driver [1]. The vulnerability arises because the Cinder volume service includes the backend's username and password in the connection_info element returned by the Block Storage v3 Attachments API [2]. This occurs regardless of the volume's ownership or the API caller's authorization level.

Exploitation

An authenticated end-user (i.e., any OpenStack tenant user) can exploit this flaw by creating a volume and then calling the Attachments API to show attachment details [2]. The response contains the connection_info field, which includes the plaintext username and password used by the Cinder backend to communicate with the ScaleIO or VxFlex OS storage system. No special privileges beyond standard volume creation and attachment operations are required. The credentials are valid for the ScaleIO/VxFlex OS Management API if the attacker can discover its endpoint [1].

Impact

An attacker who successfully retrieves these credentials can connect to another user's volume, potentially reading or modifying data belonging to other tenants [1]. Moreover, because the same credentials are used for the entire backend, they may also allow administrative access to the storage management API, enabling broader compromise of the storage infrastructure [2]. The flaw compromises the isolation expected in multi-tenant cloud environments.

Mitigation

The recommended remediation involves patching the ScaleIO/VxFlex OS Cinder driver to stop providing the password in API responses, patching the os-brick connector to read the password from a root-only configuration file, and deploying the configuration file to all compute and Cinder nodes [2]. The fix was implemented in openstack-cinder versions 14.1.0, 15.2.0, and 16.1.0, and in the os-brick library commit 4047948f1ac8055a025972ad73ec3ec421450775 [3][4]. Users should upgrade to the patched versions and follow the deployment steps outlined in the OpenStack Security Note (OSSN-0086).

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cinderPyPI	>= 14.0.0, < 14.1.0	14.1.0
cinderPyPI	>= 15.0.0, < 15.2.0	15.2.0
cinderPyPI	>= 16.0.0, < 16.1.0	16.1.0
os-brickPyPI	>= 2.8.0, < 2.8.6	2.8.6
os-brickPyPI	>= 2.10.0, < 2.10.4	2.10.4
os-brickPyPI	>= 3.0.0, < 3.0.2	3.0.2

Affected products

ghsa-coords97 versions
pkg:pypi/cinder pkg:pypi/os-brick pkg:rpm/suse/ansible1&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-cobbler&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-glance&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-input-model&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-barbican&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-designate&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-designate&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-magnum&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-neutron-vsphere&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-neutron-vsphere&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-octavia&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-resource-agents&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-resource-agents&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-ardana-packager&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-heatclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-heatclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-neutron-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-neutron-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-octavia-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-octavia-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-os-brick&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-os-brick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-activeresource&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-json-1_7&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209
>= 14.0.0, < 14.1.0+ 96 more
- (no CPE)range: >= 14.0.0, < 14.1.0
- (no CPE)range: >= 2.8.0, < 2.8.6
- (no CPE)range: < 1.9.6-9.7.2
- (no CPE)range: < 9.0+git.1591138508.e269bdb-3.22.2
- (no CPE)range: < 9.0+git.1588181228.bae3b1f-3.13.2
- (no CPE)range: < 9.0+git.1593631708.9354a78-3.13.2
- (no CPE)range: < 9.0+git.1589740948.c24fc0b-3.19.2
- (no CPE)range: < 9.0+git.1591193994.d93b668-3.13.2
- (no CPE)range: < 9.0+git.1594158642.b5905e4-3.12.2
- (no CPE)range: < 9.0+git.1589385256.7fbfaaf-3.19.2
- (no CPE)range: < 9.0+git.1593618110.cbd1a37-3.16.2
- (no CPE)range: < 9.0+git.1590756257.e09d54f-3.22.2
- (no CPE)range: < 9.0+git.1590079609.a2ae6ab-3.19.2
- (no CPE)range: < 9.0+git.1593033709.9495bb2-3.16.2
- (no CPE)range: < 6.0+git.1594619891.b75a61d0d-3.25.5
- (no CPE)range: < 6.0+git.1591795073.49cb6400e-3.25.3
- (no CPE)range: < 6.2.5-3.12.2
- (no CPE)range: < 6.2.5-3.12.2
- (no CPE)range: < 4.6.3-4.3.2
- (no CPE)range: < 4.6.3-4.3.2
- (no CPE)range: < 7.0.1~dev24-3.9.5
- (no CPE)range: < 7.0.1~dev24-3.9.5
- (no CPE)range: < 11.1.1~dev7-3.16.3
- (no CPE)range: < 11.1.1~dev7-3.16.3
- (no CPE)range: < 13.0.10~dev12-3.22.4
- (no CPE)range: < 13.0.10~dev12-3.22.4
- (no CPE)range: < 14.1.1~dev6-3.15.5
- (no CPE)range: < 14.1.1~dev6-3.15.5
- (no CPE)range: < 7.0.2~dev2-3.19.3
- (no CPE)range: < 7.0.2~dev2-3.19.3
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.6.2
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.6.2
- (no CPE)range: < 11.1.5~dev6-3.19.3
- (no CPE)range: < 11.1.5~dev6-3.19.3
- (no CPE)range: < 14.2.1~dev4-3.22.3
- (no CPE)range: < 14.2.1~dev4-3.22.3
- (no CPE)range: < 7.2.1~dev1-3.13.3
- (no CPE)range: < 7.2.1~dev1-3.13.3
- (no CPE)range: < 7.4.2~dev31-4.24.3
- (no CPE)range: < 7.4.2~dev31-4.24.3
- (no CPE)range: < 2.8.2~dev5-3.9.3
- (no CPE)range: < 2.8.2~dev5-3.9.3
- (no CPE)range: < 13.0.8~dev68-3.25.3
- (no CPE)range: < 13.0.8~dev68-3.25.3
- (no CPE)range: < 2.0.1~dev167-3.3.3
- (no CPE)range: < 2.0.1~dev167-3.3.3
- (no CPE)range: < 18.3.1~dev38-3.25.4
- (no CPE)range: < 18.3.1~dev38-3.25.4
- (no CPE)range: < 0.1.4-7.12.3
- (no CPE)range: < 0.1.4-7.12.3
- (no CPE)range: < 3.2.3~dev7-3.25.3
- (no CPE)range: < 3.2.3~dev7-3.25.3
- (no CPE)range: < 1.0+git.1569436425.8b9c49f-5.3.2
- (no CPE)range: < 1.0+git.1569436425.8b9c49f-5.3.2
- (no CPE)range: < 0.0.3-9.3.2
- (no CPE)range: < 1.11.29-3.15.2
- (no CPE)range: < 1.11.29-3.15.2
- (no CPE)range: < 1.16.3-3.3.3
- (no CPE)range: < 1.16.3-3.3.3
- (no CPE)range: < 0.2.0-3.3.2
- (no CPE)range: < 0.2.0-3.3.2
- (no CPE)range: < 0.2.0-3.3.2
- (no CPE)range: < 0.2.0-3.3.2
- (no CPE)range: < 2.5.10-3.12.3
- (no CPE)range: < 2.5.10-3.12.3
- (no CPE)range: < 8.1.4-3.6.2
- (no CPE)range: < 8.1.4-3.6.2
- (no CPE)range: < 5.2.0-3.3.2
- (no CPE)range: < 5.2.0-3.3.2
- (no CPE)range: < 0.5.2-4.3.2
- (no CPE)range: < 0.5.2-4.3.2
- (no CPE)range: < 1.23-3.12.2
- (no CPE)range: < 1.23-3.12.2
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 9.20200610-3.21.4
- (no CPE)range: < 9.20200610-3.21.4
- (no CPE)range: < 4.0.0-4.3.1
- (no CPE)range: < 1.7.7-4.3.1
- (no CPE)range: < 2.16.0-4.9.1
- (no CPE)range: < 7.0.1~dev24-3.19.3
- (no CPE)range: < 13.0.10~dev12-3.19.2
- (no CPE)range: < 7.0.2~dev2-3.19.2
- (no CPE)range: < 17.0.1~dev30-3.17.2
- (no CPE)range: < 11.0.3~dev35-3.19.2
- (no CPE)range: < 14.1.1~dev6-4.18.3
- (no CPE)range: < 11.1.5~dev6-4.15.2
- (no CPE)range: < 14.2.1~dev4-3.19.2
- (no CPE)range: < 7.2.1~dev1-4.19.2
- (no CPE)range: < 7.4.2~dev31-3.21.2
- (no CPE)range: < 1.8.2~dev3-3.19.2
- (no CPE)range: < 2.7.1~dev10-3.17.3
- (no CPE)range: < 13.0.8~dev68-6.19.2
- (no CPE)range: < 18.3.1~dev38-3.19.3
- (no CPE)range: < 3.2.3~dev7-4.19.2
- (no CPE)range: < 9.0.2~dev15-3.19.2
- (no CPE)range: < 2.19.2~dev48-2.14.2
Red Hat/openstack-cinderv5
Range: all openstack-cinder versions before openstack-cinder 14.1.0

Patches

ba785eef5f51

Remove VxFlex OS credentials from connection_properties

https://github.com/openstack/cinderIvan PchelintsevJun 4, 2020via ghsa

commit

2 files changed · +30 −3

cinder/volume/drivers/dell_emc/scaleio/driver.py+3 −3 modified

@@ -144,9 +144,10 @@ class ScaleIODriver(driver.VolumeDriver):
         2.0.1: Added support for SIO 1.3x in addition to 2.0.x
         2.0.2: Added consistency group support to generic volume groups
         2.0.3: Added cache for storage pool and protection domains info
+        2.0.3.1: Fix for Bug #1823200. See OSSN-0086 for details.
     """
 
-    VERSION = "2.0.3"
+    VERSION = "2.0.3.1"
     # ThirdPartySystems wiki
     CI_WIKI_NAME = "EMC_ScaleIO_CI"
 
@@ -220,8 +221,7 @@ def __init__(self, *args, **kwargs):
             'serverIP': self.server_ip,
             'serverPort': self.server_port,
             'serverUsername': self.server_username,
-            'serverPassword': self.server_password,
-            'serverToken': self.server_token,
+            'config_group': self.configuration.config_group,
             'iopsLimit': None,
             'bandwidthLimit': None,
         }

doc/source/configuration/block-storage/drivers/dell-emc-scaleio-driver.rst+27 −0 modified

@@ -273,6 +273,33 @@ parameters as follows:
    san_password = SIO_PASSWD
    san_thin_provision = false
 
+Connector configuration
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Before using attach/detach volume operations VxFlex OS connector must be
+properly configured. On each node where VxFlex OS SDC is installed do the
+following:
+
+#. Create ``/opt/emc/scaleio/openstack/connector.conf`` if it does not
+   exist.
+
+   .. code-block:: console
+
+     $ mkdir -p /opt/emc/scaleio/openstack
+     $ touch /opt/emc/scaleio/openstack/connector.conf
+
+#. For each VxFlex OS section in the ``cinder.conf`` create the same section in
+   the ``/opt/emc/scaleio/openstack/connector.conf`` and populate it with
+   passwords. Example:
+
+   .. code-block:: ini
+
+      [vxflexos]
+      san_password = SIO_PASSWD
+
+      [vxflexos-new]
+      san_password = SIO2_PASSWD
+
 Configuration options
 ~~~~~~~~~~~~~~~~~~~~~

4047948f1ac8

Remove VxFlex OS credentials from connection_properties

https://github.com/openstack/os-brickIvan PchelintsevJun 2, 2020via ghsa

commit

2 files changed · +39 −4

os_brick/initiator/connectors/scaleio.py+33 −2 modified

@@ -15,6 +15,8 @@
 import json
 import os
 import requests
+import six
+from six.moves import configparser
 from six.moves import urllib
 
 from oslo_concurrency import lockutils
@@ -29,6 +31,7 @@
 
 LOG = logging.getLogger(__name__)
 DEVICE_SCAN_ATTEMPTS_DEFAULT = 3
+CONNECTOR_CONF_PATH = '/opt/emc/scaleio/openstack/connector.conf'
 synchronized = lockutils.synchronized_with_prefix('os-brick-')
 
 
@@ -39,6 +42,7 @@ class ScaleIOConnector(base.BaseLinuxConnector):
     VOLUME_NOT_MAPPED_ERROR = 84
     VOLUME_ALREADY_MAPPED_ERROR = 81
     GET_GUID_CMD = ['/opt/emc/scaleio/sdc/bin/drv_cfg', '--query_guid']
+    GET_PASSWORD_CMD = ['cat', CONNECTOR_CONF_PATH]
 
     def __init__(self, root_helper, driver=None,
                  device_scan_attempts=initiator.DEVICE_SCAN_ATTEMPTS_DEFAULT,
@@ -221,6 +225,32 @@ def _get_volume_id(self):
                  {'volume_id': volume_id})
         return volume_id
 
+    def _get_connector_password(self, config_group):
+        LOG.info("Get ScaleIO connector password from configuration file")
+
+        if not os.path.isfile(CONNECTOR_CONF_PATH):
+            msg = ("ScaleIO connector configuration file "
+                   "is not found in path %s." % CONNECTOR_CONF_PATH)
+            raise exception.BrickException(message=msg)
+
+        try:
+            (out, err) = self._execute(*self.GET_PASSWORD_CMD,
+                                       run_as_root=True,
+                                       root_helper=self._root_helper)
+            conf = configparser.ConfigParser()
+            conf.readfp(six.StringIO(out))
+            return conf[config_group]["san_password"]
+        except putils.ProcessExecutionError as e:
+            msg = _("Error reading ScaleIO connector "
+                    "configuration file: %s") % e.stderr
+            LOG.error(msg)
+            raise exception.BrickException(message=msg)
+        except Exception as e:
+            msg = _("Error getting ScaleIO connector password from "
+                    "configuration file: %s") % e
+            LOG.error(msg)
+            raise exception.BrickException(message=msg)
+
     def _check_response(self, response, request, is_get_request=True,
                         params=None):
         if response.status_code == 401 or response.status_code == 403:
@@ -269,8 +299,9 @@ def get_config(self, connection_properties):
         self.server_ip = connection_properties['serverIP']
         self.server_port = connection_properties['serverPort']
         self.server_username = connection_properties['serverUsername']
-        self.server_password = connection_properties['serverPassword']
-        self.server_token = connection_properties['serverToken']
+        self.server_password = self._get_connector_password(
+            connection_properties['config_group'],
+        )
         self.iops_limit = connection_properties['iopsLimit']
         self.bandwidth_limit = connection_properties['bandwidthLimit']
         device_info = {'type': 'block',

os_brick/tests/initiator/connectors/test_scaleio.py+6 −2 modified

@@ -47,8 +47,7 @@ def setUp(self):
             'scaleIO_volume_id': self.vol['provider_id'],
             'serverPort': 443,
             'serverUsername': 'test',
-            'serverPassword': 'fake',
-            'serverToken': 'fake_token',
+            'config_group': 'test',
             'iopsLimit': None,
             'bandwidthLimit': None
         }
@@ -84,6 +83,10 @@ def setUp(self):
         self.mock_object(os, 'listdir',
                          return_value=["emc-vol-{}".format(self.vol['id'])])
 
+        self.get_password_mock = self.mock_object(scaleio.ScaleIOConnector,
+                                                  '_get_connector_password',
+                                                  return_value='fake_password')
+
         # The actual ScaleIO connector
         self.connector = scaleio.ScaleIOConnector(
             'sudo', execute=self.fake_execute)
@@ -170,6 +173,7 @@ def test_get_connector_properties(self):
     def test_connect_volume(self):
         """Successful connect to volume"""
         self.connector.connect_volume(self.fake_connection_properties)
+        self.get_password_mock.assert_called_once()
 
     def test_connect_with_bandwidth_limit(self):
         """Successful connect to volume with bandwidth limit"""

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-v3m2-pg96-w33mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-10755ghsaADVISORY
usn.ubuntu.com/4420-1/mitrevendor-advisoryx_refsource_UBUNTU
bugs.launchpad.net/cinder/+bug/1823200ghsaWEB
bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
github.com/openstack/cinder/commit/ba785eef5f515b869c0d68016e84bb74f76ab45eghsaWEB
github.com/openstack/os-brick/commit/4047948f1ac8055a025972ad73ec3ec421450775ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/cinder/PYSEC-2020-228.yamlghsaWEB
usn.ubuntu.com/4420-1ghsaWEB
wiki.openstack.org/wiki/OSSN/OSSN-0086ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000