{"api_version":"1","generated_at":"2026-04-23T05:57:09+00:00","cve":"CVE-2017-15139","urls":{"html":"https://cve.report/CVE-2017-15139","api":"https://cve.report/api/cve/CVE-2017-15139.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-15139","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-15139"},"summary":{"title":"CVE-2017-15139","description":"A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2018-08-27 17:29:00","updated_at":"2023-02-03 02:10:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"1599899 – (CVE-2017-15139) CVE-2017-15139 openstack-cinder: Data retained after deletion of a ScaleIO volume","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2019:0917","name":"RHSA-2019:0917","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2018:3601","name":"RHSA-2018:3601","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wiki.openstack.org/wiki/OSSN/OSSN-0084","name":"https://wiki.openstack.org/wiki/OSSN/OSSN-0084","refsource":"MISC","tags":["Mitigation","Third Party Advisory"],"title":"OSSN/OSSN-0084 - OpenStack","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-15139","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15139","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"15139","vulnerable":"1","versionEndIncluding":"12.0.4-7","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"openstack","cpe5":"cinder","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15139","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15139","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"13","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15139","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"13.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15139","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15139","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"13.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2017-15139","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"openstack-cinder","version":{"version_data":[{"version_value":"up to and including Queens"}]}}]},"vendor_name":"OpenStack Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants."}]},"impact":{"cvss":[[{"vectorString":"5.1/CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.0"}]]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200"}]}]},"references":{"reference_data":[{"name":"https://wiki.openstack.org/wiki/OSSN/OSSN-0084","refsource":"MISC","url":"https://wiki.openstack.org/wiki/OSSN/OSSN-0084"},{"name":"RHSA-2018:3601","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:3601"},{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139"},{"refsource":"REDHAT","name":"RHSA-2019:0917","url":"https://access.redhat.com/errata/RHSA-2019:0917"}]}},"nvd":{"publishedDate":"2018-08-27 17:29:00","lastModifiedDate":"2023-02-03 02:10:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":true,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:openstack:cinder:*:*:*:*:*:*:*:*","versionEndIncluding":"12.0.4-7","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"15139","Ordinal":"112641","Title":"CVE-2017-15139","CVE":"CVE-2017-15139","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"15139","Ordinal":"1","NoteData":"A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"15139","Ordinal":"2","NoteData":"2018-08-27","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"15139","Ordinal":"3","NoteData":"2019-04-30","Type":"Other","Title":"Modified"}]}}}