Cloud Computing

In VMware HCX (Hybrid Cloud Extension) versions 4.8.0 – 4.8.2 and 4.9.0 – 4.9.1 a high severity vulnerability CVE-2024-38814 was detected. This vulnerability allows authenticated attackers with non-administrator privileges to execute specially crafted SQL queries, potentially leading to unauthorized remote code execution on the HCX Manager. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38814.

In OpenStack Ironic versions before 21.4.3, from 22.0.0 to 23.0.2, from 23.1.0 to 24.1.2, and from 25.0.0 to 26.0.1 a medium severity vulnerability CVE-2024-44082 was detected. This vulnerability allows attackers to exploit crafted images in OpenStack Ironic, leading to unauthorized access to potentially sensitive data by triggering undesired behaviors in qemu-img. To fix this problem users should upgrade OpenStack Ironic to versions 21.4.3, 23.0.2, 24.1.2, and 26.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-44082.

In OpenStack Nova versions before 27.4.1, 28.0 before 28.2.1, and 29.0 before 29.1.1 a medium severity vulnerability CVE-2024-40767 was detected. This vulnerability allows attackers to gain unauthorized access to potentially sensitive data by supplying a crafted image with a file path reference in OpenStack Nova, which can result in the server returning the contents of the referenced file. To fix this problem, users should upgrade OpenStack Nova to versions 27.4.1 and later, 28.2.1 and later, and 29.1.1 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-40767.

In OpenStack versions 16.1, 16.2, 17.1 a high severity vulnerability CVE-2024-8007 was detected. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack. To fix this issue, users must upgrade OpenStack to the latest version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8007/.

In OpenStack versions 16.1/16.2/17.0 a high severity vulnerability CVE-2024-7319 was detected. This vulnerability allows the disclosure of sensitive information through the OpenStack stack abandon command. To fix this issue, users should upgrade to version 22.0.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-7319.

In OpenStack components Cinder through version 24.0.0, Glance before version 28.0.2, and Nova before version 29.0.3 a medium severity vulnerability CVE-2024-32498 was detected. This vulnerability allows attackers to read important files on your system using a specially made file. To fix this problem, users should upgrade the OpenStack Cinder component to version 24.0.1 or later, the OpenStack Glance component to version 28.0.2 or later and the OpenStack Nova component to version 29.0.3 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-32498.

In OpenStack Platform a medium severity vulnerability CVE-2024-4840 was detected. This flaw could expose sensitive information by storing plaintext passwords in log files. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4840/.