3.6 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.1%
Issue Overview:
It was discovered that keycloak-httpd-client-install uses a predictable log file name in /tmp. A local attacker could create a symbolic link to a sensitive location, possibly causing data corruption or denial of service.(CVE-2017-15111)
In keycloak-http-client-install prior to version 0.8, the admin password could be provided through a command-line argument. This might result in the password being leaked through shell history, or becoming visible to a local attacker at the time the program is running.(CVE-2017-15112)
Affected Packages:
keycloak-httpd-client-install
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update keycloak-httpd-client-install to update your system.
New Packages:
noarch:
keycloak-httpd-client-install-0.8-1.amzn2.noarch
python2-keycloak-httpd-client-install-0.8-1.amzn2.noarch
src:
keycloak-httpd-client-install-0.8-1.amzn2.src
Red Hat: CVE-2017-15111, CVE-2017-15112
Mitre: CVE-2017-15111, CVE-2017-15112
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | noarch | keycloak-httpd-client-install | < 0.8-1.amzn2 | keycloak-httpd-client-install-0.8-1.amzn2.noarch.rpm |
Amazon Linux | 2 | noarch | python2-keycloak-httpd-client-install | < 0.8-1.amzn2 | python2-keycloak-httpd-client-install-0.8-1.amzn2.noarch.rpm |
3.6 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.1%