CVE-2020-9543: OpenStack Manila Unprivileged users can retrieve, use and manipulate share networks
8.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.54749%
CWE
Published
5/24/2022
Updated
9/30/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
manila | pip | < 7.4.1 | 7.4.1 |
manila | pip | >= 8.0.0, < 8.1.1 | 8.1.1 |
manila | pip | >= 9.0.0, < 9.1.1 | 9.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing project isolation in share network database queries. The commit diff shows the critical addition of 'project_only=True' to the model_query in _network_get_query. This parameter enforces tenant isolation in OpenStack's policy framework. Prior to the fix, the absence of this check allowed context-free UUID lookups across projects. The tests (test_api.py) were also modified to use elevated contexts for cross-project operations, confirming the default API behavior lacked proper scoping.