Wiz
Vulnerability DatabaseCVE-2024-32498

CVE-2024-32498
Python vulnerability analysis and mitigation

Overview

A vulnerability (CVE-2024-32498) was discovered in OpenStack's QCOW2 image processing affecting multiple components: Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. The vulnerability was reported by Martin Kaesberger and disclosed on July 2, 2024. The issue affects all Cinder and Nova deployments, while only Glance deployments with image conversion enabled are vulnerable (OpenStack OSSA, NVD).

Technical details

The vulnerability allows arbitrary file access through custom QCOW2 external data. The issue stems from QCOW2's mechanisms to read from another file, specifically the external data file feature. While a previous vulnerability related to backing files was addressed in OSSA-2015-014, this separate vector remained undiscovered. The vulnerability has a CVSS v3.1 base score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

Impact

When exploited, this vulnerability allows an authenticated user to access potentially sensitive data by convincing systems to return copies of arbitrary file contents from the server. The attacker can achieve this by supplying a specially crafted QCOW2 image that references specific data file paths (OpenStack OSSA).

Mitigation and workarounds

Patches have been released for all affected versions of Cinder, Glance, and Nova. The fixes involve implementing checks to detect and reject QCOW2 images with data-file attributes. Organizations should upgrade to Cinder version 22.1.3 or later, Glance version 28.0.2 or later, and Nova version 29.0.3 or later. Multiple patches have been provided for different versions and components to address the vulnerability comprehensively (OpenStack OSSA).

Community reactions

Due to the scope of the problem and complexity of the resulting fixes, there were some challenges during the coordinated disclosure period. The initial publication date had to be rescheduled, extending four days beyond the standard ninety-day maximum embargo length. This led to additional work for stakeholders as regression fixes and patches were supplied (OpenStack OSSA).

Additional resources

SourceThis report was generated using AI

Related Python vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

GHSA-66hx-chf7-3332HIGH8.8
  • PythonPython
  • pyload-ng
NoNoApr 14, 2026
CVE-2026-40192HIGH8.7
  • PythonPython
  • pillow
NoYesApr 15, 2026
CVE-2026-40347MEDIUM5.3
  • PythonPython
  • python-multipart
NoYesApr 15, 2026
GHSA-jj6c-8h6c-hppxMEDIUM4.8
  • PythonPython
  • pypdf
NoYesApr 15, 2026
GHSA-fj52-5g4h-gmq8LOW2.9
  • PythonPython
  • pyload-ng
NoNoApr 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo