Source: cinder
Version: 2:21.1.0-3
Severity: grave
Tags: patch

Title: Arbitrary file access through custom QCOW2 external data
Reporter: Martin Kaesberger
Products: Cinder, Glance, Nova

Description:
Martin Kaesberger reported a vulnerability in QCOW2 image processing
for Cinder, Glance and Nova. By supplying a specially created QCOW2
image which references a specific data file path, an authenticated
user may convince systems to return a copy of that file's contents
from the server resulting in unauthorized access to potentially
sensitive data. All Cinder deployments are affected; only Glance
deployments with image conversion enabled are affected; all Nova
deployments are affected.

Original private report: https://launchpad.net/bugs/2059809

Reply via email to