Lucene search

GitHub Advisory DatabaseGHSA-W4X6-6W3R-9H2M

HistoryMar 23, 2023 - 9:30 p.m.

tripleo-ansible may disclose important configuration details from an OpenStack deployment

2023-03-2321:30:19

CWE-22

CWE-276

CWE-732

GitHub Advisory Database

github.com

tripleo-ansible

openstack

information disclosure

insecure configuration

sensitive file

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

15.9%

JSON

A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment.

Affected configurations

Vulners

Node

tripleoansibleRange≤6.0.0

CPENameOperatorVersion
tripleo-ansiblele6.0.0

CPE	Name	Operator	Version
	tripleo-ansible	le	6.0.0

References

access.redhat.com/security/cve/CVE-2022-3146

github.com/advisories/GHSA-w4x6-6w3r-9h2m

nvd.nist.gov/vuln/detail/CVE-2022-3146

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

15.9%

JSON

Related for GHSA-W4X6-6W3R-9H2M