{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-40767", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-19T14:19:41.293Z", "dateReserved": "2024-07-10T00:00:00.000Z", "datePublished": "2024-07-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-25T16:41:45.397Z"}, "descriptions": [{"lang": "en", "value": "In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://launchpad.net/bugs/2071734"}, {"url": "https://security.openstack.org"}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/23/2"}, {"url": "https://security.openstack.org/ossa/OSSA-2024-002.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-552", "lang": "en", "description": "CWE-552 Files or Directories Accessible to External Parties"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T14:47:09.000894Z", "id": "CVE-2024-40767", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-19T14:19:41.293Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:54.912Z"}, "title": "CVE Program Container", "references": [{"url": "https://launchpad.net/bugs/2071734", "tags": ["x_transferred"]}, {"url": "https://security.openstack.org", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/23/2", "tags": ["x_transferred"]}, {"url": "https://security.openstack.org/ossa/OSSA-2024-002.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://launchpad.net/bugs/2071734", "tags": ["x_transferred"]}, {"url": "https://security.openstack.org", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/23/2", "tags": ["x_transferred"]}, {"url": "https://security.openstack.org/ossa/OSSA-2024-002.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:54.912Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-40767", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-24T14:47:09.000894Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552 Files or Directories Accessible to External Parties"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T14:47:16.895Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://launchpad.net/bugs/2071734"}, {"url": "https://security.openstack.org"}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/23/2"}, {"url": "https://security.openstack.org/ossa/OSSA-2024-002.html"}], "descriptions": [{"lang": "en", "value": "In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-25T16:41:45.397Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40767", "state": "PUBLISHED", "dateUpdated": "2025-03-19T14:19:41.293Z", "dateReserved": "2024-07-10T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-24T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "matchCriteriaId": "D74C8EE9-1EC5-4286-B208-383ED634118F", "versionEndExcluding": "27.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "matchCriteriaId": "716EDE86-85A2-4CB9-B494-D4F2D08052F3", "versionEndExcluding": "28.2.1", "versionStartIncluding": "28.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "matchCriteriaId": "11E02C0C-E7BD-47D4-BAF9-906CE166CD0B", "versionEndExcluding": "29.1.1", "versionStartIncluding": "29.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498."}, {"lang": "es", "value": "En OpenStack Nova anterior a 27.4.1, 28 anterior a 28.2.1 y 29 anterior a 29.1.1, al proporcionar una imagen sin formato que en realidad es una imagen QCOW2 manipulada con una ruta de archivo de respaldo o una imagen plana VMDK con una ruta de archivo descriptiva, se El usuario autenticado puede convencer a los sistemas para que devuelvan una copia del contenido del archivo al que se hace referencia desde el servidor, lo que resulta en un acceso no autorizado a datos potencialmente confidenciales. Todas las implementaciones de Nova se ven afectadas. NOTA: este problema existe debido a una soluci\u00f3n incompleta para CVE-2022-47951 y CVE-2024-32498."}], "id": "CVE-2024-40767", "lastModified": "2025-03-19T15:15:48.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-24T05:15:12.907", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://launchpad.net/bugs/2071734"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://security.openstack.org"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://security.openstack.org/ossa/OSSA-2024-002.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2024/07/23/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://launchpad.net/bugs/2071734"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.openstack.org"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.openstack.org/ossa/OSSA-2024-002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2024/07/23/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-552"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Arnaud Morin (OVH) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:5113", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "openstack-nova-1:20.4.1-1.20221005193235.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5097", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-nova-1:20.6.2-2.20230814165229.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:5083", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "openstack-nova-1:23.2.3-17.1.20231018130829.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-08-07T00:00:00Z"}], "bugzilla": {"description": "openstack-nova: Regression VMDK/qcow arbitrary file access", "id": "2297217", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297217"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-552", "details": ["In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498.", "An arbitrary file access flaw was found in Nova. By supplying a RAW format image, a specially crafted QCOW2 image with a backing file path, or a VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file\u2019s contents from the server. This issue results in unauthorized access to potentially sensitive data."], "name": "CVE-2024-40767", "package_state": [{"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "openstack-nova", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2024-07-23T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40767\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40767\nhttps://security.openstack.org/ossa/OSSA-2024-002.html"], "statement": "This vulnerability was rated with a severity of Important due to the potential to read sensitive information from a Nova compute host. This vulnerability was introduced as a result of the fixes for CVE-2024-32498 and only affects versions of Nova that include the patches for CVE-2024-32498.", "threat_severity": "Important"}