CVE-2024-32498: OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access
(updated )
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file’s contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
References
- github.com/advisories/GHSA-r4v4-w9pv-6fph
- github.com/openstack/cinder/commit/78f85c1f9b20a067ef64d6451dee0228c3a0db5e
- github.com/openstack/cinder/commit/d6a186945e03649343af55b46ed8dfe0dd326e40
- github.com/openstack/glance/commit/22f0c9c6f98db1d93569e3edb800c271f35b0ef9
- github.com/openstack/glance/commit/2e65391744a82421bc6f026ee8f1f3550038f175
- github.com/openstack/glance/commit/867d1dd8b6e4f5774257a98c7c33061fbbbde973
- github.com/openstack/glance/commit/cc7d53adbecf85f3d7df78e7618fe8ab3a075c5f
- github.com/openstack/glance/commit/d607e78630cc9d1ca18b3a027322809c042f64df
- github.com/openstack/nova/commit/657e86585cc57f84ab9b364dd189547d231d5927
- launchpad.net/bugs/2059809
- nvd.nist.gov/vuln/detail/CVE-2024-32498
- security.openstack.org/ossa/OSSA-2024-001.html
- www.openwall.com/lists/oss-security/2024/07/02/2
Detect and mitigate CVE-2024-32498 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →