MEDIUM 6.5 PyPI
OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access
GHSA-r4v4-w9pv-6fph · CVE-2024-32498
Published · Modified
Description
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-32498
- WEB https://github.com/openstack/cinder/commit/78f85c1f9b20a067ef64d6451dee0228c3a0db5e
- WEB https://github.com/openstack/cinder/commit/d6a186945e03649343af55b46ed8dfe0dd326e40
- WEB https://github.com/openstack/glance/commit/22f0c9c6f98db1d93569e3edb800c271f35b0ef9
- WEB https://github.com/openstack/glance/commit/2e65391744a82421bc6f026ee8f1f3550038f175
- WEB https://github.com/openstack/glance/commit/867d1dd8b6e4f5774257a98c7c33061fbbbde973
- WEB https://github.com/openstack/glance/commit/cc7d53adbecf85f3d7df78e7618fe8ab3a075c5f
- WEB https://github.com/openstack/glance/commit/d607e78630cc9d1ca18b3a027322809c042f64df
- WEB https://github.com/openstack/nova/commit/657e86585cc57f84ab9b364dd189547d231d5927
- WEB https://launchpad.net/bugs/2059809
- WEB https://lists.debian.org/debian-lts-announce/2024/09/msg00016.html
- WEB https://lists.debian.org/debian-lts-announce/2024/09/msg00017.html
- WEB https://security.openstack.org/ossa/OSSA-2024-001.html
- WEB https://www.openwall.com/lists/oss-security/2024/07/02/2
- WEB http://www.openwall.com/lists/oss-security/2024/07/02/2
Ready to move
Start Securing
Free, no credit card | First findings in minutes