Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yNHY0LXc5cHYtNmZwaM4AA9mC

OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

Permalink: https://github.com/advisories/GHSA-r4v4-w9pv-6fph
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNHY0LXc5cHYtNmZwaM4AA9mC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 3 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.0007
EPSS Percentile: 0.32541

Identifiers: GHSA-r4v4-w9pv-6fph, CVE-2024-32498
References:

Repository: https://github.com/openstack/cinder
Blast Radius: 10.4

Affected Packages

pypi:nova

Dependent packages: 0
Dependent repositories: 40
Downloads: 5,422 last month
Affected Version Ranges: <= 29.0.2
No known fixed version
All affected versions: 15.1.5, 16.1.6, 16.1.7, 16.1.8, 17.0.7, 17.0.8, 17.0.9, 17.0.10, 17.0.11, 17.0.12, 17.0.13, 18.0.2, 18.0.3, 18.1.0, 18.2.0, 18.2.1, 18.2.2, 18.2.3, 18.3.0, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.2.0, 19.3.0, 19.3.1, 19.3.2, 20.0.0, 20.0.1, 20.1.0, 20.1.1, 20.2.0, 20.3.0, 20.4.0, 20.4.1, 20.5.0, 20.6.0, 20.6.1, 21.0.0, 21.1.0, 21.1.1, 21.1.2, 21.2.0, 21.2.1, 21.2.2, 21.2.3, 21.2.4, 22.0.0, 22.0.1, 22.1.0, 22.2.0, 22.2.1, 22.2.2, 22.3.0, 22.4.0, 23.0.0, 23.0.1, 23.0.2, 23.1.0, 23.2.0, 23.2.1, 23.2.2, 24.0.0, 24.1.0, 24.1.1, 24.2.0, 24.2.1, 25.0.0, 25.0.1, 25.1.0, 25.1.1, 25.2.0, 25.2.1, 25.3.0, 26.0.0, 26.1.0, 26.1.1, 26.2.0, 26.2.1, 26.2.2, 26.3.0, 27.0.0, 27.1.0, 27.2.0, 27.3.0, 27.4.0, 27.5.0, 27.5.1, 28.0.0, 28.0.1, 28.1.0, 28.2.0, 28.3.0, 29.0.0, 29.0.1, 29.0.2

pypi:glance

Dependent packages: 0
Dependent repositories: 13
Downloads: 4,099 last month
Affected Version Ranges: <= 28.0.1
No known fixed version
All affected versions: 15.0.2, 17.0.1, 18.0.0, 18.0.1, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.0.4, 20.0.0, 20.0.1, 20.1.0, 20.2.0, 21.0.0, 21.1.0, 22.0.0, 22.1.0, 22.1.1, 23.0.0, 23.1.0, 24.0.0, 24.1.0, 24.2.0, 24.2.1, 25.0.0, 25.1.0, 26.0.0, 26.1.0, 27.0.0, 27.1.0, 28.0.0, 28.0.1

pypi:cinder

Dependent packages: 1
Dependent repositories: 12
Downloads: 5,850 last month
Affected Version Ranges: <= 24.0.0
No known fixed version
All affected versions: 10.0.8, 11.2.0, 11.2.1, 11.2.2, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8, 12.0.9, 12.0.10, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.1.0, 14.2.0, 14.2.1, 14.3.0, 14.3.1, 15.0.0, 15.0.1, 15.1.0, 15.2.0, 15.3.0, 15.4.0, 15.4.1, 15.5.0, 15.6.0, 16.0.0, 16.1.0, 16.2.0, 16.2.1, 16.3.0, 16.4.0, 16.4.1, 16.4.2, 17.0.0, 17.0.1, 17.1.0, 17.2.0, 17.3.0, 17.4.0, 18.0.0, 18.1.0, 18.2.0, 18.2.1, 19.0.0, 19.1.0, 19.1.1, 19.2.0, 19.3.0, 20.0.0, 20.0.1, 20.1.0, 20.2.0, 20.3.0, 20.3.1, 20.3.2, 21.0.0, 21.1.0, 21.2.0, 21.3.0, 21.3.1, 21.3.2, 22.0.0, 22.1.0, 22.1.1, 22.1.2, 22.2.0, 22.3.0, 23.0.0, 23.1.0, 23.2.0, 23.3.0, 24.0.0