CVE-2023-6725

2024-03-1513:15:06

Debian Security Bug Tracker

security-tracker.debian.org

openstack

designate

access-control

unauthorized access

sensitive information

bind

configuration

world readable

cve-2023-6725

CVSS3

6.6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

AI Score

6.8

Confidence

Low

EPSS

Percentile

15.5%

JSON

An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.

OSVersionArchitecturePackageVersionFilename
Debian12alldesignate< 1:15.0.0-4designate_1:15.0.0-4_all.deb
Debian11alldesignate< 1:11.0.0-2designate_1:11.0.0-2_all.deb
Debian999alldesignate< 1:19.0.0~rc1-2designate_1:19.0.0~rc1-2_all.deb
Debian13alldesignate< 1:18.0.0-4designate_1:18.0.0-4_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	designate	< 1:15.0.0-4	designate_1:15.0.0-4_all.deb
Debian	11	all	designate	< 1:11.0.0-2	designate_1:11.0.0-2_all.deb
Debian	999	all	designate	< 1:19.0.0~rc1-2	designate_1:19.0.0~rc1-2_all.deb
Debian	13	all	designate	< 1:18.0.0-4	designate_1:18.0.0-4_all.deb