Source: cinder Version: 2:21.1.0-3 Severity: grave Tags: patch Title: Arbitrary file access through custom QCOW2 external data Reporter: Martin Kaesberger Products: Cinder, Glance, Nova
Description: Martin Kaesberger reported a vulnerability in QCOW2 image processing for Cinder, Glance and Nova. By supplying a specially created QCOW2 image which references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected. Original private report: https://launchpad.net/bugs/2059809
