Lucene search

MitreCVE-2024-32498

HistoryJul 05, 2024 - 2:15 a.m.

CVE-2024-32498

2024-07-0502:15:09

mitre

web.nvd.nist.gov

openstack

cinder

glance

nova

vulnerability

unauthorized access

data breach

qcow2

file access

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

18.3%

JSON

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file’s contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

Affected configurations

Nvd

Node

openstackcinderRange<22.1.3

openstackcinderRange23.0.0–23.1.1

openstackcinderMatch24.0.0

openstackglanceRange<26.0.1

openstackglanceRange28.0.0–28.0.2

openstackglanceMatch27.0.0

openstacknovaRange<27.3.1

openstacknovaRange28.0.0–28.1.1

openstacknovaRange29.0.0–29.0.3

VendorProductVersionCPE
openstackcinder*cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
openstackcinder24.0.0cpe:2.3:a:openstack:cinder:24.0.0:*:*:*:*:*:*:*
openstackglance*cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*
openstackglance27.0.0cpe:2.3:a:openstack:glance:27.0.0:*:*:*:*:*:*:*
openstacknova*cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openstack	cinder	*	cpe:2.3:a:openstack:cinder::::::::
openstack	cinder	24.0.0	cpe:2.3:a:openstack:cinder:24.0.0:::::::*
openstack	glance	*	cpe:2.3:a:openstack:glance::::::::
openstack	glance	27.0.0	cpe:2.3:a:openstack:glance:27.0.0:::::::*
openstack	nova	*	cpe:2.3:a:openstack:nova::::::::