GitHub Advisory DatabaseGHSA-8936-44GW-7664TripleO Heat templates might allow remote attackers to obtain sensitive information from private containers
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
71.5%
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| openstack | tripleo_heat_templates | * | cpe:2.3:a:openstack:tripleo_heat_templates:*:*:*:*:*:*:*:* |
References
access.redhat.com/errata/RHSA-2015:1862
access.redhat.com/security/cve/CVE-2015-5271
bugs.launchpad.net/tripleo/+bug/1494896
bugzilla.redhat.com/show_bug.cgi?id=1261697
git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1730d95acdbee7c7bbcfe1eba8a48ef2b0cc1476
github.com/advisories/GHSA-8936-44gw-7664
launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch
nvd.nist.gov/vuln/detail/CVE-2015-5271
review.openstack.org/226541
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
71.5%