{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-32498", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-30T19:50:39.398Z", "dateReserved": "2024-04-15T00:00:00", "datePublished": "2024-07-05T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-09-23T15:16:09.036565"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://launchpad.net/bugs/2059809"}, {"name": "[oss-security] 20240702 [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/07/02/2"}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/02/2"}, {"url": "https://security.openstack.org/ossa/OSSA-2024-001.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-552", "lang": "en", "description": "CWE-552 Files or Directories Accessible to External Parties"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T15:32:53.035957Z", "id": "CVE-2024-32498", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-30T19:50:39.398Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://launchpad.net/bugs/2059809", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/02/2", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00016.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/02/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:46.471Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://launchpad.net/bugs/2059809", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/02/2", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00016.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/02/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:46.471Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-32498", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-16T15:32:53.035957Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552 Files or Directories Accessible to External Parties"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T13:06:38.119Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://launchpad.net/bugs/2059809"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/02/2", "name": "[oss-security] 20240702 [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)", "tags": ["mailing-list"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/02/2"}, {"url": "https://security.openstack.org/ossa/OSSA-2024-001.html"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-09-23T15:16:09.036565"}}}, "cveMetadata": {"cveId": "CVE-2024-32498", "state": "PUBLISHED", "dateUpdated": "2024-10-30T19:50:39.398Z", "dateReserved": "2024-04-15T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-05T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*", "matchCriteriaId": "15F92D40-6FF4-4B69-8CB7-8738D328C17E", "versionEndExcluding": "22.1.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*", "matchCriteriaId": "0586E7A0-93EB-4514-B99B-BE36FF601385", "versionEndExcluding": "23.1.1", "versionStartIncluding": "23.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:cinder:24.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "2A0D5772-9130-4882-B766-6C5FABEB0A15", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D3430EC-399A-48F4-987D-EB040F0C807E", "versionEndExcluding": "26.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*", "matchCriteriaId": "A7C6F3A6-1F5A-4515-9BF7-EB5F0C3ABD90", "versionEndExcluding": "28.0.2", "versionStartIncluding": "28.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:glance:27.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "15C95296-C24A-4643-9C3A-66E75AEBD8DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "matchCriteriaId": "8232EDBD-2E0C-45AE-919A-87736B3F2E5D", "versionEndExcluding": "27.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BD5E209-E134-4EB1-9D9B-E2B564C4C43A", "versionEndExcluding": "28.1.1", "versionStartIncluding": "28.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "matchCriteriaId": "249930E8-A4FC-484E-A73F-9027B3F2E73C", "versionEndExcluding": "29.0.3", "versionStartIncluding": "29.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en OpenStack Cinder hasta 24.0.0, Glance antes de 28.0.2 y Nova antes de 29.0.3. El acceso arbitrario a archivos puede ocurrir a trav\u00e9s de datos externos QCOW2 personalizados. Al proporcionar una imagen QCOW2 manipulada que hace referencia a una ruta de archivo de datos espec\u00edfica, un usuario autenticado puede convencer a los sistemas para que devuelvan una copia del contenido de ese archivo desde el servidor, lo que resulta en un acceso no autorizado a datos potencialmente confidenciales. Todas las implementaciones de Cinder y Nova se ven afectadas; solo se ven afectadas las implementaciones de Glance con la conversi\u00f3n de im\u00e1genes habilitada."}], "id": "CVE-2024-32498", "lastModified": "2024-10-30T20:35:19.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-05T02:15:09.840", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/07/02/2"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://launchpad.net/bugs/2059809"}, {"source": "cve@mitre.org", "url": "https://security.openstack.org/ossa/OSSA-2024-001.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch"], "url": "https://www.openwall.com/lists/oss-security/2024/07/02/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-552"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Martin Kaesberger for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:4425", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "openstack-cinder-1:15.4.0-1.20230510003503.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2024-07-09T00:00:00Z"}, {"advisory": "RHSA-2024:4425", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "openstack-glance-1:19.0.4-1.20230310213451.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2024-07-09T00:00:00Z"}, {"advisory": "RHSA-2024:4425", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "openstack-nova-1:20.4.1-1.20221005193234.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2024-07-09T00:00:00Z"}, {"advisory": "RHSA-2024:4273", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-cinder-1:15.6.1-2.20230906144858.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:4273", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-glance-1:19.0.5-2.20230310205021.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:4273", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-nova-1:20.6.2-2.20230814165228.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:4274", "cpe": "cpe:/a:redhat:openstack:17.1::el8", "package": "openstack-nova-1:23.2.3-17.1.20231018123754.el8ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 8", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:4272", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "openstack-cinder-1:18.2.2-17.1.20231011140829.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:4272", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "openstack-glance-1:22.1.2-17.1.20230621071326.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:4272", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "openstack-nova-1:23.2.3-17.1.20231018130828.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-07-02T00:00:00Z"}], "bugzilla": {"description": "OpenStack: malicious qcow2/vmdk images", "id": "2278663", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278663"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20->(CWE-200|CWE-400)", "details": ["An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.", "An input validation flaw was discovered in how multiple OpenStack services validate images with backing file references. An authenticated attacker could provide a malicious image via upload, or by creating and modifying an image from an existing volume. Validation of images can be triggered during image upload or when attaching images to virtual machines. During this process, the affected OpenStack services could be tricked into reading or writing to the host with the equivalent privileges of QEMU. This bypasses isolation restrictions, significantly reducing the security of an affected compute host, and could enable arbitrary code execution, a denial of service, or leaking of secrets. If exploited, the immediate impact is limited to an individual compute host. However, if the attacker has access to multiple hosts and enough time to repeat it, they could potentially spread across all compute hosts."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-32498", "package_state": [{"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "openstack-cinder", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "openstack-glance", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "openstack-nova", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "openstack-cinder", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "openstack-glance", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "openstack-nova", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "openstack-cinder", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "openstack-glance", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "openstack-nova", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2024-07-02T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-32498\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-32498\nhttps://bugs.launchpad.net/nova/+bug/2059809\nhttps://www.openwall.com/lists/oss-security/2024/07/02/2"], "statement": "The vast majority of deployments of Red Hat OpenStack Platform should be assumed to be vulnerable as they are likely to be using at least one of the impacted services: Compute (nova), Block Storage (cinder), and Image (glance).\nWhile an attacker must have valid login credentials to exploit this vulnerability, OpenStack supports multiple deployment scenarios with a variety of security postures. Open-cloud or multi-tenant deployments where infrastructure is shared by users who may be untrusted should treat this vulnerability as if it could be performed by an unauthenticated attacker. Considering this, along with the significant potential for disruption, we have rated the severity of this vulnerability as Critical.\nThe discovery of this vulnerability led to the discovery of an additional vulnerability (CVE-2024-4467) in QEMU. The impact to QEMU is significantly less as it is designed to only be run with trusted images. Red Hat OpenStack Platform is at a higher risk due from this underlying vulnerability, as OpenStack must tolerate running untrusted images.", "threat_severity": "Critical"}