CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-32498 – OpenStack: malicious qcow2/vmdk images
https://notcve.org/view.php?id=CVE-2024-32498
03 Jul 2024 — An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled... • https://launchpad.net/bugs/2059809 • CWE-400: Uncontrolled Resource Consumption CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-3641 – openstack-cinder: Cinder-volume host data leak to virtual machine instance
https://notcve.org/view.php?id=CVE-2014-3641
08 Oct 2014 — The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header. Los controladores (1) GlusterFS y (2) Linux Smbfs en OpenStack Cinder anterior a 2014.1.3 permiten a usuarios remotos autenticados obtener datos de ficheros del anfitrión Cinder-volume mediante el clonación y adjunto de un volumen con una cabecera qcow2 manipulada. OpenStack Block Sto... • http://rhn.redhat.com/errata/RHSA-2014-1787.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •