CVE-2024-32498

CWE-552Files Accessible to External PartiesCWE-200Information ExposureCWE-22Path TraversalCWE-436Interpretation Conflict13 documents7 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 61.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openstack CinderOpenstack GlanceOpenstack Nova
Timeline
PublishedJul 5
Latest updateNov 7

Description

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conver

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

NVDopenstack/nova28.0.028.1.1+2
NVDopenstack/cinder23.0.023.1.1+2
NVDopenstack/glance28.0.028.0.2+2
Debiannova< 2:22.4.0-1~deb11u5+3
Debiancinder< 2:17.4.0-1~deb11u2+3

Patches

Patch: launchpad.netPatch: www.openwall.comPatch: launchpad.net

🔴Vulnerability Details

5
GHSA
OpenStack Nova vulnerable to unauthorized access to potentially sensitive data2024-07-24
OSV
OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access2024-07-05
GHSA
OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access2024-07-05
OSV
CVE-2024-32498: An issue was discovered in OpenStack Cinder through 242024-07-05
CVEList
CVE-2024-32498: An issue was discovered in OpenStack Cinder through 242024-07-05

📋Vendor Advisories

7
Ubuntu
Cinder regression2024-11-07
Red Hat
openstack-nova: Regression VMDK/qcow arbitrary file access2024-07-23
Ubuntu
OpenStack Glance vulnerability2024-07-08
Ubuntu
Nova vulnerability2024-07-08
Ubuntu
Cinder vulnerability2024-07-08
CVE-2024-32498 (MEDIUM CVSS 6.5) | An issue was discovered in OpenStac | cvebase.io