Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yNHY0LXc5cHYtNmZwaM4AA9mC

OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

Permalink: https://github.com/advisories/GHSA-r4v4-w9pv-6fph
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNHY0LXc5cHYtNmZwaM4AA9mC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 2 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-r4v4-w9pv-6fph, CVE-2024-32498
References:

Repository: https://github.com/openstack/cinder
Blast Radius: 10.4

Affected Packages

pypi:nova

Dependent packages: 0
Dependent repositories: 40
Downloads: 7,869 last month
Affected Version Ranges: <= 29.0.2
No known fixed version
All affected versions: 15.1.5, 16.1.6, 16.1.7, 16.1.8, 17.0.7, 17.0.8, 17.0.9, 17.0.10, 17.0.11, 17.0.12, 17.0.13, 18.0.2, 18.0.3, 18.1.0, 18.2.0, 18.2.1, 18.2.2, 18.2.3, 18.3.0, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.2.0, 19.3.0, 19.3.1, 19.3.2, 20.0.0, 20.0.1, 20.1.0, 20.1.1, 20.2.0, 20.3.0, 20.4.0, 20.4.1, 20.5.0, 20.6.0, 20.6.1, 21.0.0, 21.1.0, 21.1.1, 21.1.2, 21.2.0, 21.2.1, 21.2.2, 21.2.3, 21.2.4, 22.0.0, 22.0.1, 22.1.0, 22.2.0, 22.2.1, 22.2.2, 22.3.0, 22.4.0, 23.0.0, 23.0.1, 23.0.2, 23.1.0, 23.2.0, 23.2.1, 23.2.2, 24.0.0, 24.1.0, 24.1.1, 24.2.0, 24.2.1, 25.0.0, 25.0.1, 25.1.0, 25.1.1, 25.2.0, 25.2.1, 25.3.0, 26.0.0, 26.1.0, 26.1.1, 26.2.0, 26.2.1, 26.2.2, 26.3.0, 27.0.0, 27.1.0, 27.2.0, 27.3.0, 27.4.0, 27.5.0, 28.0.0, 28.0.1, 28.1.0, 28.2.0, 28.3.0, 29.0.0, 29.0.1, 29.0.2

pypi:glance

Dependent packages: 0
Dependent repositories: 13
Downloads: 3,655 last month
Affected Version Ranges: <= 28.0.1
No known fixed version
All affected versions: 15.0.2, 17.0.1, 18.0.0, 18.0.1, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.0.4, 20.0.0, 20.0.1, 20.1.0, 20.2.0, 21.0.0, 21.1.0, 22.0.0, 22.1.0, 22.1.1, 23.0.0, 23.1.0, 24.0.0, 24.1.0, 24.2.0, 24.2.1, 25.0.0, 25.1.0, 26.0.0, 26.1.0, 27.0.0, 27.1.0, 28.0.0, 28.0.1

pypi:cinder

Dependent packages: 1
Dependent repositories: 12
Downloads: 6,555 last month
Affected Version Ranges: <= 24.0.0
No known fixed version
All affected versions: 10.0.8, 11.2.0, 11.2.1, 11.2.2, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8, 12.0.9, 12.0.10, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.1.0, 14.2.0, 14.2.1, 14.3.0, 14.3.1, 15.0.0, 15.0.1, 15.1.0, 15.2.0, 15.3.0, 15.4.0, 15.4.1, 15.5.0, 15.6.0, 16.0.0, 16.1.0, 16.2.0, 16.2.1, 16.3.0, 16.4.0, 16.4.1, 16.4.2, 17.0.0, 17.0.1, 17.1.0, 17.2.0, 17.3.0, 17.4.0, 18.0.0, 18.1.0, 18.2.0, 18.2.1, 19.0.0, 19.1.0, 19.1.1, 19.2.0, 19.3.0, 20.0.0, 20.0.1, 20.1.0, 20.2.0, 20.3.0, 20.3.1, 20.3.2, 21.0.0, 21.1.0, 21.2.0, 21.3.0, 21.3.1, 21.3.2, 22.0.0, 22.1.0, 22.1.1, 22.1.2, 22.2.0, 23.0.0, 23.1.0, 23.2.0, 24.0.0