Vulnerability Details CVE-2024-32498
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 29.7%
CVSS Severity
CVSS v3 Score 6.5
References
- http://www.openwall.com/lists/oss-security/2024/07/02/2
- https://launchpad.net/bugs/2059809
- https://security.openstack.org/ossa/OSSA-2024-001.html
- https://www.openwall.com/lists/oss-security/2024/07/02/2
- http://www.openwall.com/lists/oss-security/2024/07/02/2
- https://launchpad.net/bugs/2059809
- https://lists.debian.org/debian-lts-announce/2024/09/msg00016.html
- https://www.openwall.com/lists/oss-security/2024/07/02/2
Products affected by CVE-2024-32498
-
cpe:2.3:a:openstack:cinder:10.0.0
-
cpe:2.3:a:openstack:cinder:10.0.2
-
cpe:2.3:a:openstack:cinder:11.0.0
-
cpe:2.3:a:openstack:cinder:11.1.0
-
cpe:2.3:a:openstack:cinder:11.2.0
-
cpe:2.3:a:openstack:cinder:11.2.1
-
cpe:2.3:a:openstack:cinder:11.2.2
-
cpe:2.3:a:openstack:cinder:12.0.0
-
cpe:2.3:a:openstack:cinder:12.0.10
-
cpe:2.3:a:openstack:cinder:12.0.2
-
cpe:2.3:a:openstack:cinder:12.0.5
-
cpe:2.3:a:openstack:cinder:12.0.6
-
cpe:2.3:a:openstack:cinder:12.0.7
-
cpe:2.3:a:openstack:cinder:12.0.7-13
-
cpe:2.3:a:openstack:cinder:12.0.8
-
cpe:2.3:a:openstack:cinder:12.0.9
-
cpe:2.3:a:openstack:cinder:13.0.0
-
cpe:2.3:a:openstack:cinder:13.0.0.0
-
cpe:2.3:a:openstack:cinder:13.0.1
-
cpe:2.3:a:openstack:cinder:13.0.2
-
cpe:2.3:a:openstack:cinder:13.0.3
-
cpe:2.3:a:openstack:cinder:13.0.4
-
cpe:2.3:a:openstack:cinder:13.0.5
-
cpe:2.3:a:openstack:cinder:13.0.5-11
-
cpe:2.3:a:openstack:cinder:13.0.6
-
cpe:2.3:a:openstack:cinder:13.0.7
-
cpe:2.3:a:openstack:cinder:13.0.8
-
cpe:2.3:a:openstack:cinder:13.0.9
-
cpe:2.3:a:openstack:cinder:14.0.0
-
cpe:2.3:a:openstack:cinder:14.0.0-18
-
cpe:2.3:a:openstack:cinder:14.0.0.0
-
cpe:2.3:a:openstack:cinder:14.0.1
-
cpe:2.3:a:openstack:cinder:14.0.2
-
cpe:2.3:a:openstack:cinder:14.0.3
-
cpe:2.3:a:openstack:cinder:14.0.4
-
cpe:2.3:a:openstack:cinder:14.1.0
-
cpe:2.3:a:openstack:cinder:14.2.0
-
cpe:2.3:a:openstack:cinder:14.2.1
-
cpe:2.3:a:openstack:cinder:14.3.0
-
cpe:2.3:a:openstack:cinder:14.3.1
-
cpe:2.3:a:openstack:cinder:15.0.0
-
cpe:2.3:a:openstack:cinder:15.0.0.0
-
cpe:2.3:a:openstack:cinder:15.0.1
-
cpe:2.3:a:openstack:cinder:15.1.0
-
cpe:2.3:a:openstack:cinder:15.2.0
-
cpe:2.3:a:openstack:cinder:15.3.0
-
cpe:2.3:a:openstack:cinder:15.4.0
-
cpe:2.3:a:openstack:cinder:15.4.1
-
cpe:2.3:a:openstack:cinder:15.5.0
-
cpe:2.3:a:openstack:cinder:15.6.0
-
cpe:2.3:a:openstack:cinder:16.0.0
-
cpe:2.3:a:openstack:cinder:16.0.0.0
-
cpe:2.3:a:openstack:cinder:16.1.0
-
cpe:2.3:a:openstack:cinder:16.2.0
-
cpe:2.3:a:openstack:cinder:16.2.1
-
cpe:2.3:a:openstack:cinder:16.3.0
-
cpe:2.3:a:openstack:cinder:16.4.0
-
cpe:2.3:a:openstack:cinder:16.4.1
-
cpe:2.3:a:openstack:cinder:16.4.2
-
cpe:2.3:a:openstack:cinder:17.0.0
-
cpe:2.3:a:openstack:cinder:17.0.0.0
-
cpe:2.3:a:openstack:cinder:17.0.1
-
cpe:2.3:a:openstack:cinder:17.1.0
-
cpe:2.3:a:openstack:cinder:17.2.0
-
cpe:2.3:a:openstack:cinder:17.3.0
-
cpe:2.3:a:openstack:cinder:17.4.0
-
cpe:2.3:a:openstack:cinder:18.0.0
-
cpe:2.3:a:openstack:cinder:18.0.0.0
-
cpe:2.3:a:openstack:cinder:18.1.0
-
cpe:2.3:a:openstack:cinder:18.2.0
-
cpe:2.3:a:openstack:cinder:18.2.1
-
cpe:2.3:a:openstack:cinder:19.0.0
-
cpe:2.3:a:openstack:cinder:19.0.0.0
-
cpe:2.3:a:openstack:cinder:19.1.0
-
cpe:2.3:a:openstack:cinder:19.1.1
-
cpe:2.3:a:openstack:cinder:19.1.2
-
cpe:2.3:a:openstack:cinder:19.2.0
-
cpe:2.3:a:openstack:cinder:20.0.0
-
cpe:2.3:a:openstack:cinder:20.0.0.0
-
cpe:2.3:a:openstack:cinder:20.0.1
-
cpe:2.3:a:openstack:cinder:20.1.0
-
cpe:2.3:a:openstack:cinder:21.0.0
-
cpe:2.3:a:openstack:cinder:21.0.0.0
-
cpe:2.3:a:openstack:cinder:21.1.0
-
cpe:2.3:a:openstack:cinder:23.0.0
-
cpe:2.3:a:openstack:cinder:24.0.0
-
cpe:2.3:a:openstack:cinder:7.0.0
-
cpe:2.3:a:openstack:cinder:7.0.2
-
cpe:2.3:a:openstack:cinder:8.0.0
-
cpe:2.3:a:openstack:cinder:8.1.0
-
cpe:2.3:a:openstack:cinder:9.0.0
-
cpe:2.3:a:openstack:cinder:9.1.3
-
cpe:2.3:a:openstack:cinder:9.1.4
-
cpe:2.3:a:openstack:glance:0.1.7
-
cpe:2.3:a:openstack:glance:1.0
-
cpe:2.3:a:openstack:glance:11.0.0
-
cpe:2.3:a:openstack:glance:11.0.1
-
cpe:2.3:a:openstack:glance:11.0.2
-
cpe:2.3:a:openstack:glance:12.0.0
-
cpe:2.3:a:openstack:glance:13.0.0
-
cpe:2.3:a:openstack:glance:14.0.0
-
cpe:2.3:a:openstack:glance:14.0.1
-
cpe:2.3:a:openstack:glance:15.0.0
-
cpe:2.3:a:openstack:glance:15.0.1
-
cpe:2.3:a:openstack:glance:15.0.2
-
cpe:2.3:a:openstack:glance:16.0.0
-
cpe:2.3:a:openstack:glance:16.0.1
-
cpe:2.3:a:openstack:glance:17.0.0
-
cpe:2.3:a:openstack:glance:18.0.0
-
cpe:2.3:a:openstack:glance:19.0.0
-
cpe:2.3:a:openstack:glance:19.0.1
-
cpe:2.3:a:openstack:glance:19.0.2
-
cpe:2.3:a:openstack:glance:19.0.3
-
cpe:2.3:a:openstack:glance:19.0.4
-
cpe:2.3:a:openstack:glance:2.0
-
cpe:2.3:a:openstack:glance:20.0.0
-
cpe:2.3:a:openstack:glance:20.0.0.0
-
cpe:2.3:a:openstack:glance:20.0.1
-
cpe:2.3:a:openstack:glance:20.1.0
-
cpe:2.3:a:openstack:glance:21.0.0
-
cpe:2.3:a:openstack:glance:21.0.0.0
-
cpe:2.3:a:openstack:glance:22.0.0
-
cpe:2.3:a:openstack:glance:22.0.0.0
-
cpe:2.3:a:openstack:glance:22.1.0
-
cpe:2.3:a:openstack:glance:23.0.0
-
cpe:2.3:a:openstack:glance:23.0.0.0
-
cpe:2.3:a:openstack:glance:24.0.0
-
cpe:2.3:a:openstack:glance:24.0.0.0
-
cpe:2.3:a:openstack:glance:24.1.0
-
cpe:2.3:a:openstack:glance:24.1.1
-
cpe:2.3:a:openstack:glance:24.2.0
-
cpe:2.3:a:openstack:glance:25.0.0
-
cpe:2.3:a:openstack:glance:25.0.0.0
-
cpe:2.3:a:openstack:glance:25.1.0
-
cpe:2.3:a:openstack:glance:26.0.0.0
-
cpe:2.3:a:openstack:glance:27.0.0
-
cpe:2.3:a:openstack:glance:28.0.0
-
cpe:2.3:a:openstack:nova:-
-
cpe:2.3:a:openstack:nova:0.9.0
-
cpe:2.3:a:openstack:nova:12.0.0
-
cpe:2.3:a:openstack:nova:12.0.1
-
cpe:2.3:a:openstack:nova:12.0.2
-
cpe:2.3:a:openstack:nova:12.0.3
-
cpe:2.3:a:openstack:nova:12.0.4
-
cpe:2.3:a:openstack:nova:12.0.5
-
cpe:2.3:a:openstack:nova:12.0.6
-
cpe:2.3:a:openstack:nova:13.0.0
-
cpe:2.3:a:openstack:nova:13.1.0
-
cpe:2.3:a:openstack:nova:13.1.1
-
cpe:2.3:a:openstack:nova:13.1.2
-
cpe:2.3:a:openstack:nova:13.1.3
-
cpe:2.3:a:openstack:nova:13.1.4
-
cpe:2.3:a:openstack:nova:14.0.0
-
cpe:2.3:a:openstack:nova:14.0.1
-
cpe:2.3:a:openstack:nova:14.0.10
-
cpe:2.3:a:openstack:nova:14.0.2
-
cpe:2.3:a:openstack:nova:14.0.3
-
cpe:2.3:a:openstack:nova:14.0.4
-
cpe:2.3:a:openstack:nova:14.0.5
-
cpe:2.3:a:openstack:nova:14.0.6
-
cpe:2.3:a:openstack:nova:14.0.7
-
cpe:2.3:a:openstack:nova:14.0.8
-
cpe:2.3:a:openstack:nova:14.0.9
-
cpe:2.3:a:openstack:nova:14.1.0
-
cpe:2.3:a:openstack:nova:15.0.0
-
cpe:2.3:a:openstack:nova:15.0.1
-
cpe:2.3:a:openstack:nova:15.0.2
-
cpe:2.3:a:openstack:nova:15.0.3
-
cpe:2.3:a:openstack:nova:15.0.4
-
cpe:2.3:a:openstack:nova:15.0.5
-
cpe:2.3:a:openstack:nova:15.0.6
-
cpe:2.3:a:openstack:nova:15.0.7
-
cpe:2.3:a:openstack:nova:15.0.8
-
cpe:2.3:a:openstack:nova:15.1.0
-
cpe:2.3:a:openstack:nova:15.1.1
-
cpe:2.3:a:openstack:nova:15.1.2
-
cpe:2.3:a:openstack:nova:15.1.3
-
cpe:2.3:a:openstack:nova:15.1.4
-
cpe:2.3:a:openstack:nova:15.1.5
-
cpe:2.3:a:openstack:nova:16.0.0
-
cpe:2.3:a:openstack:nova:16.0.1
-
cpe:2.3:a:openstack:nova:16.0.2
-
cpe:2.3:a:openstack:nova:16.0.3
-
cpe:2.3:a:openstack:nova:16.0.4
-
cpe:2.3:a:openstack:nova:16.1.0
-
cpe:2.3:a:openstack:nova:16.1.1
-
cpe:2.3:a:openstack:nova:16.1.2
-
cpe:2.3:a:openstack:nova:16.1.3
-
cpe:2.3:a:openstack:nova:16.1.4
-
cpe:2.3:a:openstack:nova:16.1.5
-
cpe:2.3:a:openstack:nova:16.1.6
-
cpe:2.3:a:openstack:nova:16.1.7
-
cpe:2.3:a:openstack:nova:16.1.8
-
cpe:2.3:a:openstack:nova:17.0.0
-
cpe:2.3:a:openstack:nova:17.0.1
-
cpe:2.3:a:openstack:nova:17.0.10
-
cpe:2.3:a:openstack:nova:17.0.11
-
cpe:2.3:a:openstack:nova:17.0.12
-
cpe:2.3:a:openstack:nova:17.0.13
-
cpe:2.3:a:openstack:nova:17.0.2
-
cpe:2.3:a:openstack:nova:17.0.3
-
cpe:2.3:a:openstack:nova:17.0.4
-
cpe:2.3:a:openstack:nova:17.0.5
-
cpe:2.3:a:openstack:nova:17.0.6
-
cpe:2.3:a:openstack:nova:17.0.7
-
cpe:2.3:a:openstack:nova:17.0.8
-
cpe:2.3:a:openstack:nova:17.0.9
-
cpe:2.3:a:openstack:nova:18.0.0
-
cpe:2.3:a:openstack:nova:18.0.1
-
cpe:2.3:a:openstack:nova:18.0.2
-
cpe:2.3:a:openstack:nova:18.0.3
-
cpe:2.3:a:openstack:nova:18.1.0
-
cpe:2.3:a:openstack:nova:18.2.0
-
cpe:2.3:a:openstack:nova:18.2.1
-
cpe:2.3:a:openstack:nova:18.2.2
-
cpe:2.3:a:openstack:nova:18.2.3
-
cpe:2.3:a:openstack:nova:18.2.4
-
cpe:2.3:a:openstack:nova:19.0.0
-
cpe:2.3:a:openstack:nova:19.0.1
-
cpe:2.3:a:openstack:nova:19.0.2
-
cpe:2.3:a:openstack:nova:19.0.3
-
cpe:2.3:a:openstack:nova:19.1.0
-
cpe:2.3:a:openstack:nova:19.3.1
-
cpe:2.3:a:openstack:nova:20.0.0
-
cpe:2.3:a:openstack:nova:20.1.0
-
cpe:2.3:a:openstack:nova:20.3.1
-
cpe:2.3:a:openstack:nova:21.0.0
-
cpe:2.3:a:openstack:nova:21.2.3
-
cpe:2.3:a:openstack:nova:22.0.0
-
cpe:2.3:a:openstack:nova:22.2.3
-
cpe:2.3:a:openstack:nova:23.0.0
-
cpe:2.3:a:openstack:nova:23.0.3
-
cpe:2.3:a:openstack:nova:23.2.1
-
cpe:2.3:a:openstack:nova:23.2.2
-
cpe:2.3:a:openstack:nova:24.0.0
-
cpe:2.3:a:openstack:nova:24.1.1
-
cpe:2.3:a:openstack:nova:24.1.2
-
cpe:2.3:a:openstack:nova:25.0.0
-
cpe:2.3:a:openstack:nova:25.0.1
-
cpe:2.3:a:openstack:nova:25.0.2
-
cpe:2.3:a:openstack:nova:28.0.0
-
cpe:2.3:a:openstack:nova:29.0.0
-
cpe:2.3:a:openstack:nova:29.0.1
-
cpe:2.3:a:openstack:nova:29.0.2