CVE-2024-32498

Publication date 2 July 2024

Last updated 7 November 2024


Ubuntu priority

Cvss 3 Severity Score

6.5 · Medium

Score breakdown

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

Status

Package Ubuntu Release Status
cinder 24.10 oracular
Fixed 2:24.1.0+git2024080717.383b830b-0ubuntu1
24.04 LTS noble
Fixed 2:24.0.0-0ubuntu1.2
23.10 mantic
Fixed 2:23.0.0-0ubuntu1.4
22.04 LTS jammy
Fixed 2:20.3.1-0ubuntu1.4
20.04 LTS focal
Fixed 2:16.4.2-0ubuntu2.8
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
glance 24.10 oracular
Fixed 2:28.0.1-0ubuntu3
24.04 LTS noble
Fixed 2:28.0.1-0ubuntu1.2
23.10 mantic
Fixed 2:27.0.0-0ubuntu1.2
22.04 LTS jammy
Fixed 2:24.2.1-0ubuntu1.2
20.04 LTS focal
Fixed 2:20.2.0-0ubuntu1.2
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
nova 24.10 oracular
Fixed 3:29.0.1-0ubuntu4
24.04 LTS noble
Fixed 3:29.0.1-0ubuntu1.3
23.10 mantic
Fixed 3:28.0.1-0ubuntu1.3
22.04 LTS jammy
Fixed 3:25.2.1-0ubuntu2.3
20.04 LTS focal
Fixed 2:21.2.4-0ubuntu2.8
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation

Severity score breakdown

Parameter Value
Base score 6.5 · Medium
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

Other references