An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2024/07/02/2 | |
https://launchpad.net/bugs/2059809 | Issue Tracking Patch |
https://security.openstack.org/ossa/OSSA-2024-001.html | |
https://www.openwall.com/lists/oss-security/2024/07/02/2 | Mailing List Patch |
Configurations
Configuration 1 (hide)
|
History
30 Oct 2024, 20:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-552 |
23 Sep 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Jul 2024, 16:43
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:* cpe:2.3:a:openstack:glance:27.0.0:*:*:*:*:*:*:* cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:* cpe:2.3:a:openstack:cinder:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:* |
|
References | () https://launchpad.net/bugs/2059809 - Issue Tracking, Patch | |
References | () https://www.openwall.com/lists/oss-security/2024/07/02/2 - Mailing List, Patch | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
First Time |
Openstack
Openstack cinder Openstack nova Openstack glance |
|
CWE | NVD-CWE-noinfo |
05 Jul 2024, 12:55
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
05 Jul 2024, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-05 02:15
Updated : 2024-10-30 20:35
NVD link : CVE-2024-32498
Mitre link : CVE-2024-32498
CVE.ORG link : CVE-2024-32498
JSON object : View
Products Affected
openstack
- cinder
- glance
- nova
CWE