CVE-2024-40767

July 24, 2024, 12:55 p.m.

None
No Score

Description

In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498.

Product(s) Impacted

Product Versions
OpenStack Nova
  • ['<27.4.1', '28 <28.2.1', '29 <29.1.1']

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://launchpad.net/bugs/2071734
https://security.openstack.org
https://www.openwall.com/lists/oss-security/2024/07/23/2

Tags

cve@mitre.org
2024-07-24
CVE-2024-40767

Timeline

Published: July 24, 2024, 5:15 a.m.
Last Modified: July 24, 2024, 12:55 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.