instack-undercloud is vulnerable to symbolic link attacks. The library uses a hardcoded temporary files during pre-installation, allowing a malicious user to conduct a symbolic link attack and overwrite arbitrary files.
www.securityfocus.com/bid/100407
access.redhat.com/errata/RHSA-2017:2557
access.redhat.com/errata/RHSA-2017:2649
access.redhat.com/errata/RHSA-2017:2687
access.redhat.com/errata/RHSA-2017:2693
access.redhat.com/errata/RHSA-2017:2726
access.redhat.com/security/cve/CVE-2017-7549
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1465616
bugzilla.redhat.com/show_bug.cgi?id=1477403
bugzilla.redhat.com/show_bug.cgi?id=1479841