CVE-2023-2088

Publication date 10 May 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.5 · Medium

Score breakdown

A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.

Read the notes from the security team

Status

Package Ubuntu Release Status
cinder 23.04 lunar
Fixed 2:22.0.0-0ubuntu1.3
22.10 kinetic Ignored end of life
22.04 LTS jammy
Fixed 2:20.2.0-0ubuntu1.1
20.04 LTS focal Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored end of standard support
ironic 23.04 lunar
Fixed 1:21.4.0-0ubuntu1.1
22.10 kinetic Ignored end of life
22.04 LTS jammy
Fixed 1:20.1.0-0ubuntu1.1
20.04 LTS focal Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored end of standard support
nova 23.04 lunar
Fixed 3:27.0.0-0ubuntu1.3
22.10 kinetic Ignored end of life
22.04 LTS jammy
Fixed 3:25.1.1-0ubuntu1.1
20.04 LTS focal Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored end of standard support
python-glance-store 23.04 lunar
Fixed 4.3.0-0ubuntu1.3
22.10 kinetic Ignored end of life
22.04 LTS jammy
Fixed 3.0.0-0ubuntu1.3
20.04 LTS focal Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored end of standard support
python-os-brick 23.04 lunar
Fixed 6.2.0-0ubuntu2.3
22.10 kinetic Ignored end of life
22.04 LTS jammy
Fixed 5.2.2-0ubuntu1.2
20.04 LTS focal Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored end of standard support

Notes


mdeslaur

The fix for this CVE was reverted in USN-6073-6 to USN-6073-9 as it was causing problems detaching volumes. These updates may require configuration changes, see: https://discourse.ubuntu.com/t/cve-2023-2088-for-charmed-openstack/37051 https://lists.openstack.org/pipermail/openstack-discuss/2023-July/034439.html Due to the extensive changes required to fix this issue, we will not be releasing updates for Focal and earlier.

Severity score breakdown

Parameter Value
Base score 6.5 · Medium
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

Other references