Symbolic Link Attack

2019-01-1509:19:18

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.0004 Low

EPSS

Percentile

5.1%

JSON

instack-undercloud is vulnerable to symbolic link attacks. The library uses a hardcoded temporary files during pre-installation, allowing a malicious user to conduct a symbolic link attack and overwrite arbitrary files.

CPENameOperatorVersion
instack-undercloudeq2.1.2__23.el7ost
instack-undercloudeq4.0.0__11.el7ost
instack-undercloudeq2.1.2__22.el7ost
instack-undercloudeq4.0.0__13.el7ost
instack-undercloudeq4.0.0__17.el7ost
instack-undercloudeq5.2.0__1.el7ost
instack-undercloudeq2.1.2__40.el7ost
instack-undercloudeq2.2.7__8.el7ost
instack-undercloudeq1.0.42__1.el7ost
instack-undercloudeq2.1.2__29.el7ost

Name	Operator	Version
instack-undercloud	eq	2.1.2__23.el7ost
instack-undercloud	eq	4.0.0__11.el7ost
instack-undercloud	eq	2.1.2__22.el7ost
instack-undercloud	eq	4.0.0__13.el7ost
instack-undercloud	eq	4.0.0__17.el7ost
instack-undercloud	eq	5.2.0__1.el7ost
instack-undercloud	eq	2.1.2__40.el7ost
instack-undercloud	eq	2.2.7__8.el7ost
instack-undercloud	eq	1.0.42__1.el7ost
instack-undercloud	eq	2.1.2__29.el7ost