High severityNVD Advisory· Published Jul 5, 2024· Updated Nov 4, 2025
CVE-2024-32498
CVE-2024-32498
Description
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cinderPyPI | <= 24.0.0 | — |
glancePyPI | <= 28.0.1 | — |
novaPyPI | <= 29.0.2 | — |
Affected products
3- ghsa-coords3 versions
<= 24.0.0+ 2 more
- (no CPE)range: <= 24.0.0
- (no CPE)range: <= 28.0.1
- (no CPE)range: <= 29.0.2
Patches
Vulnerability mechanics
References
16- github.com/advisories/GHSA-r4v4-w9pv-6fphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32498ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/07/02/2ghsamailing-listWEB
- github.com/openstack/cinder/commit/78f85c1f9b20a067ef64d6451dee0228c3a0db5eghsaWEB
- github.com/openstack/cinder/commit/d6a186945e03649343af55b46ed8dfe0dd326e40ghsaWEB
- github.com/openstack/glance/commit/22f0c9c6f98db1d93569e3edb800c271f35b0ef9ghsaWEB
- github.com/openstack/glance/commit/2e65391744a82421bc6f026ee8f1f3550038f175ghsaWEB
- github.com/openstack/glance/commit/867d1dd8b6e4f5774257a98c7c33061fbbbde973ghsaWEB
- github.com/openstack/glance/commit/cc7d53adbecf85f3d7df78e7618fe8ab3a075c5fghsaWEB
- github.com/openstack/glance/commit/d607e78630cc9d1ca18b3a027322809c042f64dfghsaWEB
- github.com/openstack/nova/commit/657e86585cc57f84ab9b364dd189547d231d5927ghsaWEB
- launchpad.net/bugs/2059809ghsaWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00016.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00017.htmlghsaWEB
- security.openstack.org/ossa/OSSA-2024-001.htmlghsaWEB
- www.openwall.com/lists/oss-security/2024/07/02/2ghsaWEB
News mentions
0No linked articles in our index yet.