Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2024-32498

Published: Jul 05, 2024 | Modified: Jul 08, 2024
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
8.8 CRITICAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2024-32498
CWEhttps://cwe.mitre.org/data/definitions/.html

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that files contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

Affected Software

Name Vendor Start Version End Version
Cinder Openstack * 22.1.3 (excluding)
Cinder Openstack 23.0.0 (including) 23.1.1 (excluding)
Cinder Openstack 24.0.0 (including) 24.0.0 (including)
Glance Openstack * 26.0.1 (excluding)
Glance Openstack 28.0.0 (including) 28.0.2 (excluding)
Glance Openstack 27.0.0 (including) 27.0.0 (including)
Nova Openstack * 27.3.1 (excluding)
Nova Openstack 28.0.0 (including) 28.1.1 (excluding)
Nova Openstack 29.0.0 (including) 29.0.3 (excluding)
Red Hat OpenStack Platform 16.1 RedHat openstack-cinder-1:15.4.0-1.20230510003503.el8ost *
Red Hat OpenStack Platform 16.1 RedHat openstack-glance-1:19.0.4-1.20230310213451.el8ost *
Red Hat OpenStack Platform 16.1 RedHat openstack-nova-1:20.4.1-1.20221005193234.el8ost *
Red Hat OpenStack Platform 16.2 RedHat openstack-cinder-1:15.6.1-2.20230906144858.el8ost *
Red Hat OpenStack Platform 16.2 RedHat openstack-glance-1:19.0.5-2.20230310205021.el8ost *
Red Hat OpenStack Platform 16.2 RedHat openstack-nova-1:20.6.2-2.20230814165228.el8ost *
Red Hat OpenStack Platform 17.1 for RHEL 8 RedHat openstack-nova-1:23.2.3-17.1.20231018123754.el8ost *
Red Hat OpenStack Platform 17.1 for RHEL 9 RedHat openstack-cinder-1:18.2.2-17.1.20231011140829.el9ost *
Red Hat OpenStack Platform 17.1 for RHEL 9 RedHat openstack-glance-1:22.1.2-17.1.20230621071326.el9ost *
Red Hat OpenStack Platform 17.1 for RHEL 9 RedHat openstack-nova-1:23.2.3-17.1.20231018130828.el9ost *
Cinder Ubuntu devel *
Cinder Ubuntu focal *
Cinder Ubuntu jammy *
Cinder Ubuntu mantic *
Cinder Ubuntu noble *
Glance Ubuntu devel *
Glance Ubuntu focal *
Glance Ubuntu jammy *
Glance Ubuntu mantic *
Glance Ubuntu noble *
Nova Ubuntu devel *
Nova Ubuntu focal *
Nova Ubuntu jammy *
Nova Ubuntu mantic *
Nova Ubuntu noble *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use