CVE-2024-32498

2024-07-0502:15:09

[email protected]

web.nvd.nist.gov

openstack

cinder

glance

nova

arbitrary file access

qcow2

unauthorized access

sensitive data

security vulnerability

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

18.3%

JSON

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file’s contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

Affected configurations

Nvd

Node

openstackcinderRange<22.1.3

openstackcinderRange23.0.0–23.1.1

openstackcinderMatch24.0.0

openstackglanceRange<26.0.1

openstackglanceRange28.0.0–28.0.2

openstackglanceMatch27.0.0

openstacknovaRange<27.3.1

openstacknovaRange28.0.0–28.1.1

openstacknovaRange29.0.0–29.0.3

VendorProductVersionCPE
openstackcinder*cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
openstackcinder24.0.0cpe:2.3:a:openstack:cinder:24.0.0:*:*:*:*:*:*:*
openstackglance*cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*
openstackglance27.0.0cpe:2.3:a:openstack:glance:27.0.0:*:*:*:*:*:*:*
openstacknova*cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openstack	cinder	*	cpe:2.3:a:openstack:cinder::::::::
openstack	cinder	24.0.0	cpe:2.3:a:openstack:cinder:24.0.0:::::::*
openstack	glance	*	cpe:2.3:a:openstack:glance::::::::
openstack	glance	27.0.0	cpe:2.3:a:openstack:glance:27.0.0:::::::*
openstack	nova	*	cpe:2.3:a:openstack:nova::::::::