1. CVE-Search
  2. CVE-2017-7549
ID CVE-2017-7549
Summary A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
References
Vulnerable Configurations
  • cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
CVSS
Base: 3.3 (as of 12-02-2023 - 23:31)
Impact:
Exploitability:
CWE CWE-377
CAPEC
  • Screen Temporary Files for Sensitive Information
    An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:L/AC:M/Au:N/C:P/I:P/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2017:2557
  • rhsa
    id RHSA-2017:2649
  • rhsa
    id RHSA-2017:2687
  • rhsa
    id RHSA-2017:2693
  • rhsa
    id RHSA-2017:2726
rpms
  • instack-undercloud-0:4.0.0-17.el7ost
  • instack-undercloud-0:5.3.0-3.el7ost
  • instack-undercloud-0:2.2.7-10.el7ost
  • instack-undercloud-0:2.1.2-41.el7ost
  • instack-undercloud-0:6.1.0-3.el7ost
refmap via4
bid 100407
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1477403
Last major update 12-02-2023 - 23:31
Published 21-09-2017 - 21:29
Last modified 12-02-2023 - 23:31
Back to Top