Ubuntu Security Notice 2005-1 - Rongze Zhu discovered that the Cinder LVM driver did not zero out data when deleting snapshots. This could expose sensitive information to authenticated users when subsequent servers use the volume. Grant Murphy discovered that Cinder would allow XML entity processing. A remote unauthenticated attacker could exploit this using the Cinder API to cause a denial of service via resource exhaustion. Various other issues were also addressed.
c777310c03c01583333fab2c17424fcb89ab74aada494927544c9f3dc1f62ca7
Red Hat Security Advisory 2013-1198-01 - The openstack-cinder packages provide OpenStack Volume, which provides services to manage and access block storage volumes for use by virtual machine instances. It was found that the fixes for CVE-2013-1664 and CVE-2013-1665, released via RHSA-2013:0658, did not fully correct the issues in the Extensible Markup Language parser used by Cinder. A remote attacker could use this flaw to send a specially-crafted request to a Cinder API, causing Cinder to consume an excessive amount of CPU and memory, or possibly crash.
bf0a9935b89a5e2ba5f94b642a5c64343167399e4f8f6e662d79e007bc99297b