First published: Tue Jul 02 2024(Updated: )
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
OpenStack Cinder | <22.1.3 | |
OpenStack Cinder | >=23.0.0<23.1.1 | |
OpenStack Cinder | =24.0.0 | |
OpenStack Glance | <26.0.1 | |
OpenStack Glance | >=28.0.0<28.0.2 | |
OpenStack Glance | =27.0.0 | |
OpenStack Nova | <27.3.1 | |
OpenStack Nova | >=28.0.0<28.1.1 | |
OpenStack Nova | >=29.0.0<29.0.3 | |
pip/nova | <=29.0.2 | |
pip/glance | <=28.0.1 | |
pip/cinder | <=24.0.0 | |
debian/cinder | <=2:17.0.1-1+deb11u1 | 2:17.4.0-1~deb11u2 2:21.3.1-1~deb12u1 2:25.0.0-2 |
debian/glance | <=2:21.0.0-2+deb11u1 | 2:21.1.0-1+deb11u2 2:25.1.0-2+deb12u1 2:29.0.0-2 |
debian/nova | <=2:22.0.1-2+deb11u1 | 2:22.4.0-1~deb11u5 2:26.2.2-1~deb12u3 2:30.0.0-3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.