CVE-2022-47951
Description
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted VMDK flat image can trick OpenStack services (Cinder, Glance, Nova) into leaking arbitrary server files.
Overview
The vulnerability resides in how OpenStack Cinder, Glance, and Nova handle specially crafted VMDK flat image files. By including a reference to an arbitrary backing file path within the VMDK descriptor, an authenticated user can cause these services to read and return the contents of that file from the server's filesystem. This is an arbitrary file read bypass that does not require special administrative privileges beyond normal image upload or block storage creation permissions [1][2][3].
Exploitation
An attacker must first authenticate to the OpenStack environment and have the ability to upload images (to Glance) or create volumes (via Cinder) that will be processed by the compute (Nova) or image services. The exploit relies on crafting a VMDK flat descriptor that points to a target file. When the image is converted, transferred, or used to boot an instance, the vulnerable code will follow the backing file path and serve the contents of that file back to the attacker, effectively bypassing normal file access controls [2][3].
Impact
Successful exploitation allows an authenticated user to read arbitrary files from the server where the service processes the VMDK. This could include sensitive configuration files, credentials (e.g., /etc/passwd, cloud-init secrets, service account keys), or any other host file. The impact is considered critical by OpenStack, as it can lead to complete compromise of the affected services and the underlying host [1][2][3].
Mitigation
Patches have been released for all affected branches: Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. Deployers are strongly advised to upgrade to the fixed versions or apply the patches from the OpenStack gerrit reviews [3]. No workaround is provided, but disabling image conversion in Glance deployments may reduce the attack surface [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cinderPyPI | < 19.1.2 | 19.1.2 |
cinderPyPI | >= 20.0.0, < 20.0.2 | 20.0.2 |
glancePyPI | < 23.0.1 | 23.0.1 |
glancePyPI | >= 24.0.0, < 24.1.1 | 24.1.1 |
novaPyPI | < 24.1.2 | 24.1.2 |
novaPyPI | >= 25.0.0, < 25.0.2 | 25.0.2 |
Affected products
90- OpenStack/Cinderdescription
- ghsa-coords89 versionspkg:pypi/cinderpkg:pypi/glancepkg:pypi/novapkg:rpm/suse/openstack-cinder&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-cinder-doc&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-glance&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-glance&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-nova&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-nova-doc&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-oslo.utils&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-oslo.utils&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-oslo.utils&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-oslo.utils&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-oslo.utils&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208
< 19.1.2+ 88 more
- (no CPE)range: < 19.1.2
- (no CPE)range: < 23.0.1
- (no CPE)range: < 24.1.2
- (no CPE)range: < 11.2.3~dev29-3.31.2
- (no CPE)range: < 11.2.3~dev29-3.31.2
- (no CPE)range: < 13.0.10~dev24-3.37.2
- (no CPE)range: < 11.2.3~dev29-3.31.2
- (no CPE)range: < 13.0.10~dev24-3.37.2
- (no CPE)range: < 11.2.3~dev29-3.31.1
- (no CPE)range: < 11.2.3~dev29-3.31.1
- (no CPE)range: < 11.2.3~dev29-3.31.1
- (no CPE)range: < 17.0.1~dev30-3.6.2
- (no CPE)range: < 17.0.1~dev30-3.6.2
- (no CPE)range: < 14.0.1~dev58-3.40.1
- (no CPE)range: < 14.0.1~dev58-3.40.1
- (no CPE)range: < 16.1.9~dev92-3.51.2
- (no CPE)range: < 16.1.9~dev92-3.51.2
- (no CPE)range: < 18.3.1~dev92-3.46.1
- (no CPE)range: < 16.1.9~dev92-3.51.2
- (no CPE)range: < 18.3.1~dev92-3.46.1
- (no CPE)range: < 16.1.9~dev92-3.51.1
- (no CPE)range: < 16.1.9~dev92-3.51.1
- (no CPE)range: < 16.1.9~dev92-3.51.1
- (no CPE)range: < 3.28.4-3.9.1
- (no CPE)range: < 3.28.4-3.9.1
- (no CPE)range: < 3.36.5-3.6.1
- (no CPE)range: < 3.28.4-3.9.1
- (no CPE)range: < 3.36.5-3.6.1
- (no CPE)range: < 5.1.1~dev7-12.42.1
- (no CPE)range: < 5.1.1~dev7-12.42.1
- (no CPE)range: < 5.0.2~dev3-12.45.1
- (no CPE)range: < 5.0.2~dev3-12.45.1
- (no CPE)range: < 7.0.1~dev24-3.39.1
- (no CPE)range: < 9.0.8~dev7-12.40.1
- (no CPE)range: < 9.0.8~dev7-12.40.1
- (no CPE)range: < 11.2.3~dev29-14.44.1
- (no CPE)range: < 11.2.3~dev29-14.44.1
- (no CPE)range: < 13.0.10~dev24-3.40.1
- (no CPE)range: < 5.0.3~dev7-12.41.1
- (no CPE)range: < 5.0.3~dev7-12.41.1
- (no CPE)range: < 7.0.2~dev2-3.37.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.38.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.38.1
- (no CPE)range: < 15.0.3~dev3-12.41.1
- (no CPE)range: < 15.0.3~dev3-12.41.1
- (no CPE)range: < 17.0.1~dev30-3.35.1
- (no CPE)range: < 9.0.8~dev22-12.47.1
- (no CPE)range: < 9.0.8~dev22-12.47.1
- (no CPE)range: < 11.0.4~dev4-3.39.1
- (no CPE)range: < 12.0.5~dev6-14.50.2
- (no CPE)range: < 14.1.1~dev11-4.45.1
- (no CPE)range: < 12.0.5~dev6-14.50.1
- (no CPE)range: < 9.1.8~dev8-12.43.1
- (no CPE)range: < 9.1.8~dev8-12.43.1
- (no CPE)range: < 11.1.5~dev18-4.35.1
- (no CPE)range: < 12.0.4~dev11-11.47.1
- (no CPE)range: < 12.0.4~dev11-11.47.1
- (no CPE)range: < 14.2.1~dev9-3.38.1
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.42.1
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.42.1
- (no CPE)range: < 7.2.1~dev1-4.37.1
- (no CPE)range: < 5.1.1~dev5-12.47.1
- (no CPE)range: < 5.1.1~dev5-12.47.1
- (no CPE)range: < 7.4.2~dev60-3.43.1
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.38.1
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.38.1
- (no CPE)range: < 1.8.2~dev3-3.37.1
- (no CPE)range: < 2.2.2~dev1-11.47.1
- (no CPE)range: < 2.2.2~dev1-11.47.1
- (no CPE)range: < 2.7.1~dev10-3.39.1
- (no CPE)range: < 4.0.2~dev3-12.40.1
- (no CPE)range: < 4.0.2~dev3-12.40.1
- (no CPE)range: < 11.0.9~dev69-13.48.1
- (no CPE)range: < 11.0.9~dev69-13.48.1
- (no CPE)range: < 13.0.8~dev209-6.45.1
- (no CPE)range: < 16.1.9~dev92-11.46.1
- (no CPE)range: < 16.1.9~dev92-11.46.1
- (no CPE)range: < 18.3.1~dev92-3.45.1
- (no CPE)range: < 1.0.6~dev3-12.43.1
- (no CPE)range: < 1.0.6~dev3-12.43.1
- (no CPE)range: < 3.2.3~dev7-4.37.1
- (no CPE)range: < 7.0.5~dev4-11.42.1
- (no CPE)range: < 7.0.5~dev4-11.42.1
- (no CPE)range: < 9.0.2~dev15-3.37.1
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.33.1
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.33.1
- (no CPE)range: < 2.19.2~dev48-2.32.1
- (no CPE)range: < 8.0.2~dev2-11.42.1
- (no CPE)range: < 8.0.2~dev2-11.42.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-7h75-hwxx-qpgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-47951ghsaADVISORY
- www.debian.org/security/2023/dsa-5336ghsavendor-advisoryWEB
- www.debian.org/security/2023/dsa-5337ghsavendor-advisoryWEB
- www.debian.org/security/2023/dsa-5338ghsavendor-advisoryWEB
- launchpad.net/bugs/1996188ghsaWEB
- lists.debian.org/debian-lts-announce/2023/01/msg00040.htmlghsamailing-listWEB
- lists.debian.org/debian-lts-announce/2023/01/msg00041.htmlghsamailing-listWEB
- lists.debian.org/debian-lts-announce/2023/01/msg00042.htmlghsamailing-listWEB
- security.openstack.org/ossa/OSSA-2023-002.htmlghsaWEB
News mentions
0No linked articles in our index yet.