CVE-2024-32498

Severity

65%

Complexity

27%

Confidentiality

60%

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

CVSS 3.1 Base Score 6.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Overview

First reported 7 months ago

2024-07-05 02:15:00

Last updated 3 months ago

2024-11-21 09:15:00

Affected Software

OpenStack Nova

References

https://launchpad.net/bugs/2059809

https://www.openwall.com/lists/oss-security/2024/07/02/2

https://launchpad.net/bugs/2059809

Issue Tracking, Patch

https://www.openwall.com/lists/oss-security/2024/07/02/2

Mailing List, Patch

[oss-security] 20240702 [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)

https://security.openstack.org/ossa/OSSA-2024-001.html

http://www.openwall.com/lists/oss-security/2024/07/02/2

https://lists.debian.org/debian-lts-announce/2024/09/msg00016.html

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.