5 results (0.011 seconds)

CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected. Se descubrió un problema en OpenStack Cinder hasta 24.0.0, Glance antes de 28.0.2 y Nova antes de 29.0.3. • https://launchpad.net/bugs/2059809 https://www.openwall.com/lists/oss-security/2024/07/02/2 http://www.openwall.com/lists/oss-security/2024/07/02/2 https://security.openstack.org/ossa/OSSA-2024-001.html https://access.redhat.com/security/cve/CVE-2024-32498 https://bugzilla.redhat.com/show_bug.cgi?id=2278663 • CWE-400: Uncontrolled Resource Consumption CWE-552: Files or Directories Accessible to External Parties •

CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 1

An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. Se descubrió un problema en OpenStack Cinder antes de 19.1.2, 20.x antes de 20.0.2 y 21.0.0; Vistazo antes de 23.0.1, 24.x antes de 24.1.1 y 25.0.0; y Nova antes de 24.1.2, 25.x antes de 25.0.2 y 26.0.0. Al proporcionar una imagen plana VMDK especialmente creada que hace referencia a una ruta de archivo de respaldo específica, un usuario autenticado puede convencer a los sistemas para que devuelvan una copia del contenido de ese archivo desde el servidor, lo que resulta en un acceso no autorizado a datos potencialmente confidenciales. A flaw was found in OpenStack-nova, Openstack-glance, and Openstack-cinder. • https://launchpad.net/bugs/1996188 https://lists.debian.org/debian-lts-announce/2023/01/msg00040.html https://lists.debian.org/debian-lts-announce/2023/01/msg00041.html https://lists.debian.org/debian-lts-announce/2023/01/msg00042.html https://security.openstack.org/ossa/OSSA-2023-002.html https://www.debian.org/security/2023/dsa-5336 https://www.debian.org/security/2023/dsa-5337 https://www.debian.org/security/2023/dsa-5338 https://access.redhat.com/security/cve/CVE • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •

CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1

The nlpweb/glance repository through 2014-06-27 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio nlpweb/glance versiones hasta 27-06-2014 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0

An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service. Un problema SSRF ha sido descubierto en OpenStack Glance en versiones anteriores a Newton. • http://www.securityfocus.com/bid/96988 https://bugs.launchpad.net/ossn/+bug/1153614 https://bugs.launchpad.net/ossn/+bug/1606495 https://wiki.openstack.org/wiki/OSSN/OSSN-0078 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0

OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them. Vulnerabilidad en OpenStack Glance en versiones anteriores a 2015.1.1 (kilo), permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) utilizando reiteradamente la API de importación de flujo de tareas para crear imágenes y borrarlas después. • http://lists.openstack.org/pipermail/openstack-announce/2015-July/000481.html http://www.securityfocus.com/bid/76068 https://bugs.launchpad.net/glance/+bug/1454087 • CWE-399: Resource Management Errors •