Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01M3dtLTk3cDYtNTgyZs3uNw
instack-undercloud vulnerable to symlink attack on tmp files
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
Permalink: https://github.com/advisories/GHSA-53wm-97p6-582fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01M3dtLTk3cDYtNTgyZs3uNw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 27 days ago
CVSS Score: 6.4
CVSS vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Identifiers: GHSA-53wm-97p6-582f, CVE-2017-7549
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-7549
- https://access.redhat.com/errata/RHSA-2017:2557
- https://access.redhat.com/errata/RHSA-2017:2649
- https://access.redhat.com/errata/RHSA-2017:2687
- https://access.redhat.com/errata/RHSA-2017:2693
- https://access.redhat.com/errata/RHSA-2017:2726
- https://bugzilla.redhat.com/show_bug.cgi?id=1477403
- https://access.redhat.com/security/cve/CVE-2017-7549
- https://web.archive.org/web/20170907040549/http://www.securityfocus.com/bid/100407
- https://github.com/advisories/GHSA-53wm-97p6-582f
Affected Packages
pypi:instack-undercloud
Dependent packages: 0Dependent repositories: 7
Downloads: 133 last month
Affected Version Ranges: <= 7.2.0
No known fixed version
All affected versions: 4.1.0, 4.2.0, 4.2.1, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 7.0.0, 7.1.0, 7.2.0