High severityNVD Advisory· Published Mar 12, 2020· Updated Aug 4, 2024

CVE-2020-9543

Description

OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-9543 allows unprivileged OpenStack Manila users to view, modify, or delete share networks not owned by them through a missing project-scope access control check.

Vulnerability

Description

CVE-2020-9543 is an access-control vulnerability in OpenStack Manila, the shared filesystem management service. The vulnerability arises because the share network API performs a context-free lookup by UUID, failing to verify that the requesting user's project ID matches the resource's project ID [1]. This flaw affects Manila versions prior to 7.4.1, 8.0.0 to 8.1.1, and 9.0.0 to 9.1.1 [4].

Attack

Vector and Exploitation

An attacker with a valid Manila API credential but no administrative privileges can exploit this by simply supplying the UUID of a share network belonging to another project. The API does not enforce project isolation on the lookup, so the attacker can retrieve, update, delete, or reuse the share network for their own resources [4]. The attacker does not need to be in the same tenant or have prior special access beyond a normal user token.

Impact

Successful exploitation enables an attacker to view and manipulate share network subnets, create share filesystems or share groups on a compromised share network, and potentially expose or disrupt services that depend on the shared storage backend [1][4]. This violates multi-tenant isolation guarantees and can lead to data exposure or unauthorized resource consumption.

Mitigation

The fix, implemented in commit 947315f0903c [3], enforces project-scoped access control on share network APIs. Administrators must upgrade to Manila 7.4.1, 8.1.1, or 9.1.1 [4]. No workaround exists that preserves full functionality, as the defect is in the core API logic.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
manilaPyPI	< 7.4.1	7.4.1
manilaPyPI	>= 8.0.0, < 8.1.1	8.1.1
manilaPyPI	>= 9.0.0, < 9.1.1	9.1.1

Affected products

202

OpenStack/Maniladescription
ghsa-coords201 versions
pkg:pypi/manila pkg:rpm/suse/ardana-ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-barbican&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-cluster&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-db&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-db&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-db&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-designate&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-input-model&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-mq&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-tempest&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-tls&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/documentation-hpe-helion-openstack-installation&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-operations&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-opsconsole&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-planning&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-security&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-user&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-suse-openstack-cloud-deployment&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-installation&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-operations&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-opsconsole&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-planning&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-security&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/memcached&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/memcached&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/memcached&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/memcached&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/memcached&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-designate&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-designate&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-ironic-image&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-ironic-image&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-manila-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-manila-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-manila-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-neutron-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-nova-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-octavia&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/pdns&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/pdns&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-amqp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-cinderclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-cinderclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-glanceclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-glanceclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-ironicclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-ironicclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-ironic-lib&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-ironic-lib&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-keystonemiddleware&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-keystonemiddleware&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-manila-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-manila-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-novaclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-novaclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-octaviaclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-octaviaclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-openstackclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-openstackclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-os-brick&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-os-brick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-oslo.config&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-oslo.config&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-oslo.rootwrap&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-oslo.rootwrap&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-oslo.utils&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-oslo.utils&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-swiftclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-swiftclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-watcherclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-watcherclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/zookeeper&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/zookeeper&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/zookeeper&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/zookeeper&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/zookeeper&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 7.4.1+ 200 more
- (no CPE)range: < 7.4.1
- (no CPE)range: < 8.0+git.1583432621.24fa60e-3.70.1
- (no CPE)range: < 8.0+git.1583432621.24fa60e-3.70.1
- (no CPE)range: < 9.0+git.1587034359.a12678b-3.19.1
- (no CPE)range: < 8.0+git.1585152761.8ef3d61-4.33.1
- (no CPE)range: < 8.0+git.1585152761.8ef3d61-4.33.1
- (no CPE)range: < 9.0+git.1583953599.cd723bb-3.10.1
- (no CPE)range: < 9.0+git.1585653734.c1fe3b2-3.13.1
- (no CPE)range: < 8.0+git.1583944923.03cca6c-3.31.1
- (no CPE)range: < 8.0+git.1583944923.03cca6c-3.31.1
- (no CPE)range: < 9.0+git.1586543314.6b6aa20-3.19.1
- (no CPE)range: < 9.0+git.1583445435.4bd1793-3.10.1
- (no CPE)range: < 9.0+git.1584632190.9541c56-3.16.1
- (no CPE)range: < 9.0+git.1585929695.f35b591-3.10.1
- (no CPE)range: < 8.0+git.1583944894.38f023a-3.24.1
- (no CPE)range: < 8.0+git.1583944894.38f023a-3.24.1
- (no CPE)range: < 9.0+git.1586769889.d43d736-3.16.1
- (no CPE)range: < 8.0+git.1583944811.dc14403-3.19.1
- (no CPE)range: < 8.0+git.1583944811.dc14403-3.19.1
- (no CPE)range: < 9.0+git.1586350749.a463fd2-3.13.1
- (no CPE)range: < 8.0+git.1584715262.e4ea620-3.39.1
- (no CPE)range: < 8.0+git.1584715262.e4ea620-3.39.1
- (no CPE)range: < 9.0+git.1587667603.507fb50-3.19.1
- (no CPE)range: < 8.0+git.1585171918.418f5cf-3.26.1
- (no CPE)range: < 8.0+git.1585171918.418f5cf-3.26.1
- (no CPE)range: < 9.0+git.1587486004.8e99c6b-3.16.1
- (no CPE)range: < 9.0+git.1586546715.dbd07ab-3.16.1
- (no CPE)range: < 8.0+git.1585311051.6ab5488-3.33.1
- (no CPE)range: < 8.0+git.1585311051.6ab5488-3.33.1
- (no CPE)range: < 9.0+git.1587398456.b31cc4a-3.13.1
- (no CPE)range: < 9.0+git.1586301209.c9413b4-3.12.1
- (no CPE)range: < 5.0+git.1585575551.16781d00d-3.38.1
- (no CPE)range: < 6.0+git.1587558898.313bb9fd3-3.22.2
- (no CPE)range: < 5.0+git.1585316176.344190f-3.32.1
- (no CPE)range: < 6.0+git.1586256059.e6f67e1-3.16.1
- (no CPE)range: < 5.0+git.1585304226.2164b7895-4.37.1
- (no CPE)range: < 6.0+git.1587753188.da39e44a7-3.22.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 8.20200319-1.23.1
- (no CPE)range: < 1.5.17-3.3.1
- (no CPE)range: < 1.5.17-3.3.1
- (no CPE)range: < 1.5.17-3.3.1
- (no CPE)range: < 1.5.17-3.3.1
- (no CPE)range: < 1.5.17-3.3.1
- (no CPE)range: < 11.1.1~dev5-3.13.2
- (no CPE)range: < 11.1.1~dev5-3.13.2
- (no CPE)range: < 13.0.10~dev9-3.19.1
- (no CPE)range: < 13.0.10~dev9-3.19.1
- (no CPE)range: < 7.0.1~dev25-3.16.2
- (no CPE)range: < 7.0.1~dev25-3.16.2
- (no CPE)range: < 11.0.3~dev35-3.16.1
- (no CPE)range: < 11.0.3~dev35-3.16.1
- (no CPE)range: < 11.1.5~dev3-3.16.1
- (no CPE)range: < 11.1.5~dev3-3.16.1
- (no CPE)range: < 9.0.0-3.6.1
- (no CPE)range: < 9.0.0-3.6.1
- (no CPE)range: < 5.1.1~dev2-3.23.1
- (no CPE)range: < 5.1.1~dev2-3.23.1
- (no CPE)range: < 7.3.1~dev15-4.18.2
- (no CPE)range: < 5.1.1~dev2-3.23.1
- (no CPE)range: < 7.3.1~dev15-4.18.2
- (no CPE)range: < 5.1.1~dev2-3.23.1
- (no CPE)range: < 5.1.1~dev2-3.23.1
- (no CPE)range: < 5.1.1~dev2-3.23.1
- (no CPE)range: < 11.0.9~dev63-3.30.2
- (no CPE)range: < 11.0.9~dev63-3.30.2
- (no CPE)range: < 13.0.8~dev28-3.22.1
- (no CPE)range: < 11.0.9~dev63-3.30.2
- (no CPE)range: < 13.0.8~dev28-3.22.1
- (no CPE)range: < 11.0.9~dev63-3.30.1
- (no CPE)range: < 11.0.9~dev63-3.30.1
- (no CPE)range: < 11.0.9~dev63-3.30.1
- (no CPE)range: < 16.1.9~dev61-3.35.2
- (no CPE)range: < 16.1.9~dev61-3.35.2
- (no CPE)range: < 18.3.1~dev17-3.22.1
- (no CPE)range: < 16.1.9~dev61-3.35.2
- (no CPE)range: < 18.3.1~dev17-3.22.1
- (no CPE)range: < 16.1.9~dev61-3.35.1
- (no CPE)range: < 16.1.9~dev61-3.35.1
- (no CPE)range: < 16.1.9~dev61-3.35.1
- (no CPE)range: < 0.1.3-7.9.2
- (no CPE)range: < 0.1.3-7.9.2
- (no CPE)range: < 3.2.3~dev2-3.22.1
- (no CPE)range: < 3.2.3~dev2-3.22.1
- (no CPE)range: < 4.1.2-3.6.1
- (no CPE)range: < 4.1.2-3.6.1
- (no CPE)range: < 2.4.2-3.9.1
- (no CPE)range: < 2.4.2-3.9.1
- (no CPE)range: < 2.4.2-3.9.1
- (no CPE)range: < 4.0.3-3.6.2
- (no CPE)range: < 4.0.3-3.6.2
- (no CPE)range: < 2.13.2-3.3.2
- (no CPE)range: < 2.13.2-3.3.2
- (no CPE)range: < 2.5.4-4.10.1
- (no CPE)range: < 2.5.4-4.10.1
- (no CPE)range: < 2.14.3-3.6.1
- (no CPE)range: < 2.14.3-3.6.1
- (no CPE)range: < 5.2.2-17.1
- (no CPE)range: < 5.2.2-17.1
- (no CPE)range: < 0.1.0-3.6.1
- (no CPE)range: < 0.1.0-3.6.1
- (no CPE)range: < 11.0.1-3.3.1
- (no CPE)range: < 11.0.1-3.3.1
- (no CPE)range: < 1.6.2-3.6.1
- (no CPE)range: < 1.6.2-3.6.1
- (no CPE)range: < 3.16.3-11.1
- (no CPE)range: < 3.16.3-11.1
- (no CPE)range: < 2.5.10-3.9.2
- (no CPE)range: < 2.5.10-3.9.2
- (no CPE)range: < 6.4.2-3.3.1
- (no CPE)range: < 6.4.2-3.3.1
- (no CPE)range: < 5.14.2-3.3.1
- (no CPE)range: < 5.14.2-3.3.1
- (no CPE)range: < 3.36.5-3.3.1
- (no CPE)range: < 3.36.5-3.3.1
- (no CPE)range: < 3.6.1-3.3.1
- (no CPE)range: < 3.6.1-3.3.1
- (no CPE)range: < 2.1.1-3.3.1
- (no CPE)range: < 2.1.1-3.3.1
- (no CPE)range: < 9.20200319-3.18.1
- (no CPE)range: < 9.20200319-3.18.1
- (no CPE)range: < 3.9.2-3.6.1
- (no CPE)range: < 2.16.0-3.6.1
- (no CPE)range: < 2.16.0-4.6.1
- (no CPE)range: < 5.1.1~dev7-12.24.1
- (no CPE)range: < 5.1.1~dev7-12.24.1
- (no CPE)range: < 5.0.2~dev3-12.25.1
- (no CPE)range: < 5.0.2~dev3-12.25.1
- (no CPE)range: < 7.0.1~dev24-3.17.1
- (no CPE)range: < 9.0.8~dev7-12.22.1
- (no CPE)range: < 9.0.8~dev7-12.22.1
- (no CPE)range: < 11.2.3~dev23-14.25.1
- (no CPE)range: < 11.2.3~dev23-14.25.1
- (no CPE)range: < 13.0.10~dev9-3.17.1
- (no CPE)range: < 5.0.3~dev7-12.23.1
- (no CPE)range: < 5.0.3~dev7-12.23.1
- (no CPE)range: < 7.0.1~dev25-3.17.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.20.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.20.1
- (no CPE)range: < 15.0.3~dev3-12.23.1
- (no CPE)range: < 15.0.3~dev3-12.23.1
- (no CPE)range: < 17.0.1~dev30-3.15.1
- (no CPE)range: < 9.0.8~dev22-12.25.1
- (no CPE)range: < 9.0.8~dev22-12.25.1
- (no CPE)range: < 11.0.3~dev35-3.17.1
- (no CPE)range: < 14.1.1~dev1-4.16.1
- (no CPE)range: < 9.1.8~dev8-12.25.1
- (no CPE)range: < 9.1.8~dev8-12.25.1
- (no CPE)range: < 11.1.5~dev3-4.13.1
- (no CPE)range: < 12.0.4~dev5-11.26.1
- (no CPE)range: < 12.0.4~dev5-11.26.1
- (no CPE)range: < 14.1.1~dev36-3.17.1
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.24.1
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.24.1
- (no CPE)range: < 7.2.1~dev1-4.17.1
- (no CPE)range: < 5.1.1~dev2-12.27.1
- (no CPE)range: < 5.1.1~dev2-12.27.1
- (no CPE)range: < 7.3.1~dev15-3.17.3
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.20.1
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.20.1
- (no CPE)range: < 1.8.2~dev3-3.17.1
- (no CPE)range: < 2.7.1~dev10-3.15.1
- (no CPE)range: < 4.0.2~dev2-12.20.1
- (no CPE)range: < 4.0.2~dev2-12.20.1
- (no CPE)range: < 11.0.9~dev63-13.28.1
- (no CPE)range: < 11.0.9~dev63-13.28.1
- (no CPE)range: < 13.0.8~dev28-6.17.1
- (no CPE)range: < 16.1.9~dev61-11.26.1
- (no CPE)range: < 16.1.9~dev61-11.26.1
- (no CPE)range: < 18.3.1~dev17-3.17.1
- (no CPE)range: < 1.0.6~dev3-12.25.1
- (no CPE)range: < 1.0.6~dev3-12.25.1
- (no CPE)range: < 3.2.3~dev2-4.17.1
- (no CPE)range: < 7.0.5~dev4-11.24.1
- (no CPE)range: < 7.0.5~dev4-11.24.1
- (no CPE)range: < 9.0.2~dev15-3.17.1
- (no CPE)range: < 2.19.2~dev48-2.12.1
- (no CPE)range: < 8.0.2~dev2-11.24.1
- (no CPE)range: < 8.0.2~dev2-11.24.1
- (no CPE)range: < 3.4.10-3.6.1
- (no CPE)range: < 3.4.10-3.6.1
- (no CPE)range: < 3.4.13-3.3.1
- (no CPE)range: < 3.4.10-3.6.1
- (no CPE)range: < 3.4.13-3.3.1

Patches

947315f0903c

share_networks: enable project_only API only

https://github.com/openstack/manilaMohammed NaserJan 31, 2020via ghsa

commit

3 files changed · +65 −10

manila/db/sqlalchemy/api.py+2 −1 modified

@@ -3398,7 +3398,8 @@ def _security_service_get_query(context, session=None):
 def _network_get_query(context, session=None):
     if session is None:
         session = get_session()
-    return (model_query(context, models.ShareNetwork, session=session).
+    return (model_query(context, models.ShareNetwork, session=session,
+                        project_only=True).
             options(joinedload('share_instances'),
                     joinedload('security_services'),
                     subqueryload('share_network_subnets')))

manila/tests/db/sqlalchemy/test_api.py+56 −9 modified

@@ -1981,7 +1981,7 @@ def test_create_two_networks_in_different_tenants(self):
         share_nw_dict2['project_id'] = 'fake project 2'
         result1 = db_api.share_network_create(self.fake_context,
                                               self.share_nw_dict)
-        result2 = db_api.share_network_create(self.fake_context,
+        result2 = db_api.share_network_create(self.fake_context.elevated(),
                                               share_nw_dict2)
 
         self._check_fields(expected=self.share_nw_dict, actual=result1)
@@ -2014,6 +2014,33 @@ def test_get(self):
         self.assertEqual(0, len(result['share_instances']))
         self.assertEqual(0, len(result['security_services']))
 
+    def _create_share_network_for_project(self, project_id):
+        ctx = context.RequestContext(user_id='fake user',
+                                     project_id=project_id,
+                                     is_admin=False)
+
+        share_data = self.share_nw_dict.copy()
+        share_data['project_id'] = project_id
+
+        db_api.share_network_create(ctx, share_data)
+        return share_data
+
+    def test_get_other_tenant_as_admin(self):
+        expected = self._create_share_network_for_project('fake project 2')
+        result = db_api.share_network_get(self.fake_context.elevated(),
+                                          self.share_nw_dict['id'])
+
+        self._check_fields(expected=expected, actual=result)
+        self.assertEqual(0, len(result['share_instances']))
+        self.assertEqual(0, len(result['security_services']))
+
+    def test_get_other_tenant(self):
+        self._create_share_network_for_project('fake project 2')
+        self.assertRaises(exception.ShareNetworkNotFound,
+                          db_api.share_network_get,
+                          self.fake_context,
+                          self.share_nw_dict['id'])
+
     @ddt.data([{'id': 'fake share id1'}],
               [{'id': 'fake share id1'}, {'id': 'fake share id2'}],)
     def test_get_with_shares(self, shares):
@@ -2129,24 +2156,29 @@ def test_get_all_one_record(self, records_count):
             share_network_dict.update({'id': fake_id,
                                        'project_id': fake_id})
             share_networks.append(share_network_dict)
-            db_api.share_network_create(self.fake_context, share_network_dict)
+            db_api.share_network_create(self.fake_context.elevated(),
+                                        share_network_dict)
             index += 1
 
-        result = db_api.share_network_get_all(self.fake_context)
+        result = db_api.share_network_get_all(self.fake_context.elevated())
 
         self.assertEqual(len(share_networks), len(result))
         for index, net in enumerate(share_networks):
             self._check_fields(expected=net, actual=result[index])
 
     def test_get_all_by_project(self):
+        db_api.share_network_create(self.fake_context, self.share_nw_dict)
+
         share_nw_dict2 = dict(self.share_nw_dict)
         share_nw_dict2['id'] = 'fake share nw id2'
         share_nw_dict2['project_id'] = 'fake project 2'
-        db_api.share_network_create(self.fake_context, self.share_nw_dict)
-        db_api.share_network_create(self.fake_context, share_nw_dict2)
+        new_context = context.RequestContext(user_id='fake user 2',
+                                             project_id='fake project 2',
+                                             is_admin=False)
+        db_api.share_network_create(new_context, share_nw_dict2)
 
         result = db_api.share_network_get_all_by_project(
-            self.fake_context,
+            self.fake_context.elevated(),
             share_nw_dict2['project_id'])
 
         self.assertEqual(1, len(result))
@@ -2415,9 +2447,24 @@ def test_update_not_found(self):
                           self.subnet_dict['id'],
                           {})
 
-    @ddt.data([{'id': 'sn_id1', 'project_id': 'fake', 'user_id': 'fake'}],
-              [{'id': 'fake_id', 'project_id': 'fake', 'user_id': 'fake'},
-               {'id': 'sn_id2', 'project_id': 'fake', 'user_id': 'fake'}])
+    @ddt.data([
+        {
+            'id': 'sn_id1',
+            'project_id': 'fake project',
+            'user_id': 'fake'
+        }
+    ], [
+        {
+            'id': 'fake_id',
+            'project_id': 'fake project',
+            'user_id': 'fake'
+        },
+        {
+            'id': 'sn_id2',
+            'project_id': 'fake project',
+            'user_id': 'fake'
+        }
+    ])
     def test_get_all_by_share_network(self, share_networks):
 
         for idx, share_network in enumerate(share_networks):

releasenotes/notes/bug-1861485-fix-share-network-retrieval-31768dcda5aeeaaa.yaml+7 −0 added

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    CVE-2020-9543: An issue with share network retrieval has been addressed
+    in the API by scoping unprivileged access to project only. Please see
+    `launchpad bug #1861485 <https://bugs.launchpad
+    .net/manila/+bug/1861485>`_ for more details.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jx7v-gmqc-6xrjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-9543ghsaADVISORY
www.openwall.com/lists/oss-security/2020/03/12/1ghsamailing-listx_refsource_MLISTx_refsource_CONFIRMWEB
bugs.launchpad.net/manila/+bug/1861485ghsax_refsource_MISCWEB
github.com/openstack/manila/commit/947315f0903c823b0fdd9d99c60078814587272cghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/manila/PYSEC-2020-63.yamlghsaWEB
opendev.org/openstack/manila/commit/947315f0903c823b0fdd9d99c60078814587272cghsaWEB
security.openstack.org/ossa/OSSA-2020-002.htmlghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000