CVE-2024-32498

MEDIUM

OpenStack <24.0.0, <28.0.2, <29.0.3 - Info Disclosure

Title source: llm

Description

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

References (6)

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/09/msg00016.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/09/msg00017.html

[Issue Tracking, Patch] https://launchpad.net/bugs/2059809

[Mailing List, Patch] https://www.openwall.com/lists/oss-security/2024/07/02/2

[Various Sources] https://security.openstack.org/ossa/OSSA-2024-001.html

[Mailing List] http://www.openwall.com/lists/oss-security/2024/07/02/2

Scores

CVSS v3 6.5

EPSS 0.0022

EPSS Percentile 44.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-552

Status published

Products (8)

openstack/cinder 24.0.0

openstack/cinder < 22.1.3

openstack/glance 27.0.0

openstack/glance < 26.0.1

openstack/nova < 27.3.1

pypi/cinder 0PyPI

pypi/glance 0PyPI

pypi/nova 0PyPI

Published Jul 05, 2024

Tracked Since Feb 18, 2026