Lucene search

[email protected]CVE-2017-7549

HistorySep 21, 2017 - 9:29 p.m.

CVE-2017-7549

2017-09-2121:29:00

CWE-59

CWE-377

[email protected]

web.nvd.nist.gov

instack-undercloud

red hat

openstack

security flaw

cve-2017-7549

symbolic-link attack

nvd

3.3 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:P/A:N

6.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

Affected configurations

Vulners

NVD

Node

red_hat\,_inc.instack-undercloudRange≤7.2.0

red_hat\,_inc.instack-undercloudRange≤6.1.0

red_hat\,_inc.instack-undercloudRange≤5.3.0

CPENameOperatorVersion
openstack:instack-undercloudopenstack instack-undercloudeq7.2.0

CPE	Name	Operator	Version
openstack:instack-undercloud	openstack instack-undercloud	eq	7.2.0

CNA Affected

[
  {
    "product": "instack-undercloud",
    "vendor": "Red Hat, Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "Pike, 12: v7.2.0, Ocata, 11: v6.1.0, Newton, 10: v5.3.0"
      }
    ]
  }
]