CVE-2024-32498

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-32498
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-32498.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-32498
Aliases
Downstream
Published
2024-07-05T02:15:09.840Z
Modified
2026-03-18T11:52:26.446279Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

References

Affected packages

Git / github.com/openstack/cinder

Affected ranges

Type
GIT
Repo
https://github.com/openstack/cinder
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
bcf399027edbd7c898a2f0583020e363e06e50d2
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c36f40684e140a1492b00dd4812e8dce17fb2ebf
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "24.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "27.0.0"
        }
    ]
}

Affected versions

10.*
10.0.0.0b1
10.0.0.0b2
10.0.0.0b3
10.0.0.0rc1
11.*
11.0.0.0b1
11.0.0.0b2
11.0.0.0b3
11.0.0.0rc1
12.*
12.0.0.0b1
12.0.0.0b2
12.0.0.0b3
12.0.0.0rc1
13.*
13.0.0.0b1
13.0.0.0b2
13.0.0.0b3
13.0.0.0rc1
14.*
14.0.0.0rc1
15.*
15.0.0.0rc1
16.*
16.0.0.0b1
16.0.0.0rc1
17.*
17.0.0.0rc1
18.*
18.0.0.0b1
18.0.0.0rc1
19.*
19.0.0.0b1
19.0.0.0rc1
20.*
20.0.0.0rc1
2013.*
2013.1.g3
2013.1.rc1
2013.2.b1
2013.2.b2
2013.2.b3
2014.*
2014.1.b1
2014.1.b2
2014.1.b3
2014.1.rc1
2014.2
2014.2.b1
2014.2.b2
2014.2.b3
2014.2.rc1
2014.2.rc2
2014.2.rc3
2015.*
2015.1.0
2015.1.0b1
2015.1.0b2
2015.1.0b3
2015.1.0rc1
2015.1.0rc2
21.*
21.0.0.0rc1
22.*
22.0.0.0rc1
23.*
23.0.0.0rc1
24.*
24.0.0
24.0.0.0rc1
24.0.0.0rc2
25.*
25.0.0.0rc1
26.*
26.0.0.0rc1
27.*
27.0.0
27.0.0.0rc1
7.*
7.0.0
7.0.0.0b1
7.0.0.0b2
7.0.0.0b3
7.0.0.0rc1
7.0.0.0rc2
7.0.0.0rc3
7.0.0a0
8.*
8.0.0
8.0.0.0b1
8.0.0.0b2
8.0.0.0b3
8.0.0.0rc1
8.0.0.0rc2
9.*
9.0.0.0b1
9.0.0.0b2
9.0.0.0b3
9.0.0.0rc1
Other
folsom-2
folsom-3
grizzly-1
grizzly-2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-32498.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "22.1.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "23.0.0"
            },
            {
                "fixed": "23.1.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "26.0.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "28.0.0"
            },
            {
                "fixed": "28.0.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "27.3.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "28.0.0"
            },
            {
                "fixed": "28.1.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "29.0.0"
            },
            {
                "fixed": "29.0.3"
            }
        ]
    }
]