Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/nova@2:22.0.1-2%2Bdeb11u1
purl pkg:deb/debian/nova@2:22.0.1-2%2Bdeb11u1
Next non-vulnerable version 2:26.2.2-1~deb12u3
Latest non-vulnerable version 2:26.2.2-1~deb12u3
Risk 10.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-h6rd-5p7q-s3gq
Aliases:
CVE-2024-32498
GHSA-r4v4-w9pv-6fph
OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
2:26.2.2-1~deb12u3
Affected by 0 other vulnerabilities.
VCID-hd9e-1msb-uqa6
Aliases:
CVE-2023-2088
openstack-cinder: silently access other user's volumes
2:26.2.2-1~deb12u3
Affected by 0 other vulnerabilities.
VCID-m5vc-4my3-87gk
Aliases:
CVE-2022-37394
GHSA-v725-c588-h936
OpenStack Nova Changing vnic_type breaks compute service restart An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and then changing the vnic_type of the bound port to macvtap, an authenticated user may cause the compute service to fail to restart, resulting in a possible denial of service. Only Nova deployments configured with SR-IOV are affected.
2:26.2.2-1~deb12u3
Affected by 0 other vulnerabilities.
VCID-s69v-tc7x-37fe
Aliases:
CVE-2026-24708
GHSA-m4f3-qp2w-gwh6
OpenStack Nova calls qemu-img without format restrictions for resize An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image backend (usually configured with use_cow_images=False) are affected.
2:26.2.2-1~deb12u3
Affected by 0 other vulnerabilities.
VCID-zwuz-pgjz-rkb9
Aliases:
CVE-2021-3654
GHSA-vqp6-j452-j6wp
URL Redirection to Untrusted Site ('Open Redirect') A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.
2:26.2.2-1~deb12u3
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (4)
Vulnerability Summary Aliases
VCID-1fb2-ccby-7yfq An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths as host devices previously referenced by the virtual machine on the source host. This can include block devices that map to different Cinder volumes at the destination than at the source. Only deployments allowing host-based connections (for instance, root and ephemeral devices) are affected. CVE-2020-17376
GHSA-c7w7-9c85-4qxv
PYSEC-2020-243
VCID-2dpk-ncrc-1fcw An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response, and could include sensitive configuration or other data. CVE-2019-14433
GHSA-pg64-r7rr-phv8
PYSEC-2019-191
VCID-br4q-499g-vqhg OpenStack Cinder, glance, and Nova vulnerable to Path Traversal An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. CVE-2022-47951
GHSA-7h75-hwxx-qpgc
VCID-qfdm-g857-3yb5 OpenStack Nova can leak consoleauth token into log files An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to `NovaProxyRequestHandlerBase.new_websocket_client` in `console/websocketproxy.py`. CVE-2015-9543
GHSA-22jm-4hxw-35jf

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T09:53:33.121604+00:00 Debian Importer Affected by VCID-m5vc-4my3-87gk https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T09:44:40.721779+00:00 Debian Importer Affected by VCID-zwuz-pgjz-rkb9 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T08:51:54.892855+00:00 Debian Importer Affected by VCID-hd9e-1msb-uqa6 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T01:06:41.852315+00:00 Debian Oval Importer Fixing VCID-2dpk-ncrc-1fcw https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.4.0
2026-04-15T23:14:09.836061+00:00 Debian Oval Importer Affected by VCID-h6rd-5p7q-s3gq https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.4.0
2026-04-15T22:45:35.047009+00:00 Debian Oval Importer Fixing VCID-br4q-499g-vqhg https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.4.0
2026-04-15T19:11:16.752571+00:00 Debian Oval Importer Affected by VCID-s69v-tc7x-37fe https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.4.0
2026-04-15T18:10:51.834188+00:00 Debian Oval Importer Fixing VCID-qfdm-g857-3yb5 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.4.0
2026-04-15T16:44:14.691974+00:00 Debian Oval Importer Fixing VCID-1fb2-ccby-7yfq https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.4.0
2026-04-13T06:37:05.672885+00:00 Debian Importer Affected by VCID-m5vc-4my3-87gk https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T06:30:16.584394+00:00 Debian Importer Affected by VCID-zwuz-pgjz-rkb9 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-12T00:38:40.770847+00:00 Debian Oval Importer Fixing VCID-2dpk-ncrc-1fcw https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.3.0
2026-04-11T22:49:56.306733+00:00 Debian Oval Importer Affected by VCID-h6rd-5p7q-s3gq https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.3.0
2026-04-11T22:22:06.867941+00:00 Debian Oval Importer Fixing VCID-br4q-499g-vqhg https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.3.0
2026-04-11T18:54:54.529715+00:00 Debian Oval Importer Affected by VCID-s69v-tc7x-37fe https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.3.0
2026-04-11T18:24:01.776125+00:00 Debian Importer Affected by VCID-hd9e-1msb-uqa6 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-11T17:56:20.168353+00:00 Debian Oval Importer Fixing VCID-qfdm-g857-3yb5 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.3.0
2026-04-11T16:31:04.983281+00:00 Debian Oval Importer Fixing VCID-1fb2-ccby-7yfq https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.3.0
2026-04-09T00:08:38.013253+00:00 Debian Oval Importer Fixing VCID-2dpk-ncrc-1fcw https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.1.0
2026-04-08T22:24:32.480488+00:00 Debian Oval Importer Affected by VCID-h6rd-5p7q-s3gq https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.1.0
2026-04-08T21:58:09.487270+00:00 Debian Oval Importer Fixing VCID-br4q-499g-vqhg https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.1.0
2026-04-08T18:39:35.006761+00:00 Debian Oval Importer Affected by VCID-s69v-tc7x-37fe https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.1.0
2026-04-08T18:23:55.577828+00:00 Debian Importer Affected by VCID-m5vc-4my3-87gk https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-08T18:15:08.639524+00:00 Debian Importer Affected by VCID-hd9e-1msb-uqa6 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-08T17:43:08.447573+00:00 Debian Oval Importer Fixing VCID-qfdm-g857-3yb5 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.1.0
2026-04-08T16:22:15.612193+00:00 Debian Oval Importer Fixing VCID-1fb2-ccby-7yfq https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.1.0
2026-04-04T18:11:12.123994+00:00 Debian Importer Affected by VCID-zwuz-pgjz-rkb9 https://security-tracker.debian.org/tracker/data/json 38.1.0