instack-undercloud is vulnerable to symbolic link attacks. The library uses a hardcoded temporary files during pre-installation, allowing a malicious user to conduct a symbolic link attack and overwrite arbitrary files.
CPE | Name | Operator | Version |
---|---|---|---|
instack-undercloud | le | 7.4.14 | |
instack-undercloud | le | 6.1.0 | |
instack-undercloud | le | 7.4.14 | |
instack-undercloud | le | 6.1.0 |
www.securityfocus.com/bid/100407
access.redhat.com/errata/RHSA-2017:2557
access.redhat.com/errata/RHSA-2017:2649
access.redhat.com/errata/RHSA-2017:2687
access.redhat.com/errata/RHSA-2017:2693
access.redhat.com/errata/RHSA-2017:2726
access.redhat.com/security/cve/CVE-2017-7549
bugzilla.redhat.com/show_bug.cgi?id=1477403