Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2017-7549
Vulnerability from cvelistv5
Published
2017-09-21 20:00
Modified
2024-08-05 16:04
Severity ?
EPSS score ?
Summary
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Red Hat, Inc. | instack-undercloud |
Version: Pike, 12: v7.2.0, Ocata, 11: v6.1.0, Newton, 10: v5.3.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:12.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:2726",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"name": "100407",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100407"
},
{
"name": "RHSA-2017:2649",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"name": "RHSA-2017:2687",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"name": "RHSA-2017:2557",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
},
{
"name": "RHSA-2017:2693",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "instack-undercloud",
"vendor": "Red Hat, Inc.",
"versions": [
{
"status": "affected",
"version": "Pike, 12: v7.2.0, Ocata, 11: v6.1.0, Newton, 10: v5.3.0"
}
]
}
],
"datePublic": "2017-08-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2017:2726",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"name": "100407",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100407"
},
{
"name": "RHSA-2017:2649",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"name": "RHSA-2017:2687",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"name": "RHSA-2017:2557",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
},
{
"name": "RHSA-2017:2693",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-7549",
"datePublished": "2017-09-21T20:00:00Z",
"dateReserved": "2017-04-05T00:00:00",
"dateUpdated": "2024-08-05T16:04:12.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"438CD7A3-3F93-4BC8-AE63-B61BD852D406\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4D4AC996-B340-4A14-86F7-FF83B4D5EC8F\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C766B188-526F-48FD-B9D0-9B6C7B6696C6\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4E9AF77C-5D49-4842-9817-AD710A919073\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B62CC2D-0A0E-4E55-9215-83061A608926\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.\"}, {\"lang\": \"es\", \"value\": \"Se ha encontrado un error en la versi\\u00f3n 7.2.0 de instack-undercloud tal y como viene incorporado en Red Hat OpenStack Platform Pike; la versi\\u00f3n 6.1.0 en Red Hat OpenStack Platform Oacta y la versi\\u00f3n 5.3.0 en Red Hat OpenStack Newton, en donde los scripts de preinstalaci\\u00f3n y pol\\u00edticas de seguridad emplearon archivos temporales no seguros. Un usuario local podr\\u00eda explotar esta vulnerabilidad para llevar a cabo un ataque de enlace simb\\u00f3lico que les permita sobrescribir el contenido de archivos arbitrarios.\"}]",
"id": "CVE-2017-7549",
"lastModified": "2024-11-21T03:32:08.713",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.1, \"impactScore\": 4.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:P/I:P/A:N\", \"baseScore\": 3.3, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.4, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2017-09-21T21:29:00.447",
"references": "[{\"url\": \"http://www.securityfocus.com/bid/100407\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2557\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2649\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2687\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2693\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2726\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1477403\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/100407\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2557\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2649\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2687\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2693\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2726\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1477403\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-377\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-59\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2017-7549\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2017-09-21T21:29:00.447\",\"lastModified\":\"2024-11-21T03:32:08.713\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado un error en la versi\u00f3n 7.2.0 de instack-undercloud tal y como viene incorporado en Red Hat OpenStack Platform Pike; la versi\u00f3n 6.1.0 en Red Hat OpenStack Platform Oacta y la versi\u00f3n 5.3.0 en Red Hat OpenStack Newton, en donde los scripts de preinstalaci\u00f3n y pol\u00edticas de seguridad emplearon archivos temporales no seguros. Un usuario local podr\u00eda explotar esta vulnerabilidad para llevar a cabo un ataque de enlace simb\u00f3lico que les permita sobrescribir el contenido de archivos arbitrarios.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.1,\"impactScore\":4.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":3.3,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.4,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-377\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"438CD7A3-3F93-4BC8-AE63-B61BD852D406\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D4AC996-B340-4A14-86F7-FF83B4D5EC8F\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C766B188-526F-48FD-B9D0-9B6C7B6696C6\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E9AF77C-5D49-4842-9817-AD710A919073\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B62CC2D-0A0E-4E55-9215-83061A608926\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/100407\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2557\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2649\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2687\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2693\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2726\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1477403\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/100407\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2557\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2649\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2687\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2693\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2726\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1477403\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}"
}
}
rhsa-2017_2557
Vulnerability from csaf_redhat
Published
2017-08-30 13:47
Modified
2024-11-14 23:36
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2557",
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2557.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security update",
"tracking": {
"current_release_date": "2024-11-14T23:36:50+00:00",
"generator": {
"date": "2024-11-14T23:36:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2557",
"initial_release_date": "2017-08-30T13:47:40+00:00",
"revision_history": [
{
"date": "2017-08-30T13:47:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-30T13:47:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:36:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 9.0 Director for RHEL 7",
"product": {
"name": "OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:4.0.0-17.el7ost.src",
"product": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.src",
"product_id": "instack-undercloud-0:4.0.0-17.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"product_id": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
},
"product_reference": "instack-undercloud-0:4.0.0-17.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-30T13:47:40+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
RHSA-2017:2649
Vulnerability from csaf_redhat
Published
2017-09-06 16:53
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version:
instack-undercloud (5.3.0). (BZ#1479841)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security
policy scripts used insecure temporary files. A local user could exploit
this flaw to conduct a symbolic-link attack, allowing them to overwrite the
contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version:\ninstack-undercloud (5.3.0). (BZ#1479841)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security\npolicy scripts used insecure temporary files. A local user could exploit\nthis flaw to conduct a symbolic-link attack, allowing them to overwrite the\ncontents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2649",
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1465616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465616"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "1479841",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1479841"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2649.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-14T23:37:41+00:00",
"generator": {
"date": "2024-11-14T23:37:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2649",
"initial_release_date": "2017-09-06T16:53:50+00:00",
"revision_history": [
{
"date": "2017-09-06T16:53:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-06T16:53:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 10.0",
"product": {
"name": "Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:10::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:5.3.0-3.el7ost.src",
"product": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.src",
"product_id": "instack-undercloud-0:5.3.0-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"product_id": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.src as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
},
"product_reference": "instack-undercloud-0:5.3.0-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch",
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-06T16:53:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch",
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch",
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
rhsa-2017:2687
Vulnerability from csaf_redhat
Published
2017-09-12 17:09
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2687",
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1324894",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324894"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2687.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security update",
"tracking": {
"current_release_date": "2024-11-14T23:37:39+00:00",
"generator": {
"date": "2024-11-14T23:37:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2687",
"initial_release_date": "2017-09-12T17:09:10+00:00",
"revision_history": [
{
"date": "2017-09-12T17:09:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-12T17:09:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 8.0 Director for RHEL 7",
"product": {
"name": "OpenStack 8.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-8.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:8::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.2.7-10.el7ost.src",
"product": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.src",
"product_id": "instack-undercloud-0:2.2.7-10.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"product_id": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.noarch as a component of OpenStack 8.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-8.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.src as a component of OpenStack 8.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
},
"product_reference": "instack-undercloud-0:2.2.7-10.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-8.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch",
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-12T17:09:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch",
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch",
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
rhsa-2017_2649
Vulnerability from csaf_redhat
Published
2017-09-06 16:53
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version:
instack-undercloud (5.3.0). (BZ#1479841)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security
policy scripts used insecure temporary files. A local user could exploit
this flaw to conduct a symbolic-link attack, allowing them to overwrite the
contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version:\ninstack-undercloud (5.3.0). (BZ#1479841)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security\npolicy scripts used insecure temporary files. A local user could exploit\nthis flaw to conduct a symbolic-link attack, allowing them to overwrite the\ncontents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2649",
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1465616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465616"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "1479841",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1479841"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2649.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-14T23:37:41+00:00",
"generator": {
"date": "2024-11-14T23:37:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2649",
"initial_release_date": "2017-09-06T16:53:50+00:00",
"revision_history": [
{
"date": "2017-09-06T16:53:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-06T16:53:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 10.0",
"product": {
"name": "Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:10::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:5.3.0-3.el7ost.src",
"product": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.src",
"product_id": "instack-undercloud-0:5.3.0-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"product_id": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.src as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
},
"product_reference": "instack-undercloud-0:5.3.0-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch",
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-06T16:53:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch",
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch",
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
rhsa-2017_2687
Vulnerability from csaf_redhat
Published
2017-09-12 17:09
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2687",
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1324894",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324894"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2687.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security update",
"tracking": {
"current_release_date": "2024-11-14T23:37:39+00:00",
"generator": {
"date": "2024-11-14T23:37:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2687",
"initial_release_date": "2017-09-12T17:09:10+00:00",
"revision_history": [
{
"date": "2017-09-12T17:09:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-12T17:09:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 8.0 Director for RHEL 7",
"product": {
"name": "OpenStack 8.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-8.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:8::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.2.7-10.el7ost.src",
"product": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.src",
"product_id": "instack-undercloud-0:2.2.7-10.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"product_id": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.noarch as a component of OpenStack 8.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-8.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.src as a component of OpenStack 8.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
},
"product_reference": "instack-undercloud-0:2.2.7-10.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-8.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch",
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-12T17:09:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch",
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch",
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
rhsa-2017_2693
Vulnerability from csaf_redhat
Published
2017-09-12 16:58
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2693",
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2693.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security update",
"tracking": {
"current_release_date": "2024-11-14T23:37:35+00:00",
"generator": {
"date": "2024-11-14T23:37:35+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2693",
"initial_release_date": "2017-09-12T16:58:04+00:00",
"revision_history": [
{
"date": "2017-09-12T16:58:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-12T16:58:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:35+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 7.0 Director for RHEL 7",
"product": {
"name": "OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.1.2-41.el7ost.src",
"product": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.src",
"product_id": "instack-undercloud-0:2.1.2-41.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"product_id": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.src as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
},
"product_reference": "instack-undercloud-0:2.1.2-41.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-12T16:58:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
rhsa-2017:2649
Vulnerability from csaf_redhat
Published
2017-09-06 16:53
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version:
instack-undercloud (5.3.0). (BZ#1479841)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security
policy scripts used insecure temporary files. A local user could exploit
this flaw to conduct a symbolic-link attack, allowing them to overwrite the
contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version:\ninstack-undercloud (5.3.0). (BZ#1479841)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security\npolicy scripts used insecure temporary files. A local user could exploit\nthis flaw to conduct a symbolic-link attack, allowing them to overwrite the\ncontents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2649",
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1465616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465616"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "1479841",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1479841"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2649.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-14T23:37:41+00:00",
"generator": {
"date": "2024-11-14T23:37:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2649",
"initial_release_date": "2017-09-06T16:53:50+00:00",
"revision_history": [
{
"date": "2017-09-06T16:53:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-06T16:53:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 10.0",
"product": {
"name": "Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:10::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:5.3.0-3.el7ost.src",
"product": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.src",
"product_id": "instack-undercloud-0:5.3.0-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"product_id": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:5.3.0-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:5.3.0-3.el7ost.src as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
},
"product_reference": "instack-undercloud-0:5.3.0-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch",
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-06T16:53:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch",
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch",
"7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
RHSA-2017:2687
Vulnerability from csaf_redhat
Published
2017-09-12 17:09
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2687",
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1324894",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324894"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2687.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security update",
"tracking": {
"current_release_date": "2024-11-14T23:37:39+00:00",
"generator": {
"date": "2024-11-14T23:37:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2687",
"initial_release_date": "2017-09-12T17:09:10+00:00",
"revision_history": [
{
"date": "2017-09-12T17:09:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-12T17:09:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 8.0 Director for RHEL 7",
"product": {
"name": "OpenStack 8.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-8.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:8::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.2.7-10.el7ost.src",
"product": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.src",
"product_id": "instack-undercloud-0:2.2.7-10.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"product_id": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.noarch as a component of OpenStack 8.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:2.2.7-10.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-8.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.2.7-10.el7ost.src as a component of OpenStack 8.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
},
"product_reference": "instack-undercloud-0:2.2.7-10.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-8.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch",
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-12T17:09:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch",
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch",
"7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
rhsa-2017:2557
Vulnerability from csaf_redhat
Published
2017-08-30 13:47
Modified
2024-11-14 23:36
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2557",
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2557.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security update",
"tracking": {
"current_release_date": "2024-11-14T23:36:50+00:00",
"generator": {
"date": "2024-11-14T23:36:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2557",
"initial_release_date": "2017-08-30T13:47:40+00:00",
"revision_history": [
{
"date": "2017-08-30T13:47:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-30T13:47:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:36:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 9.0 Director for RHEL 7",
"product": {
"name": "OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:4.0.0-17.el7ost.src",
"product": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.src",
"product_id": "instack-undercloud-0:4.0.0-17.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"product_id": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
},
"product_reference": "instack-undercloud-0:4.0.0-17.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-30T13:47:40+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
RHSA-2017:2693
Vulnerability from csaf_redhat
Published
2017-09-12 16:58
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2693",
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2693.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security update",
"tracking": {
"current_release_date": "2024-11-14T23:37:35+00:00",
"generator": {
"date": "2024-11-14T23:37:35+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2693",
"initial_release_date": "2017-09-12T16:58:04+00:00",
"revision_history": [
{
"date": "2017-09-12T16:58:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-12T16:58:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:35+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 7.0 Director for RHEL 7",
"product": {
"name": "OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.1.2-41.el7ost.src",
"product": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.src",
"product_id": "instack-undercloud-0:2.1.2-41.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"product_id": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.src as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
},
"product_reference": "instack-undercloud-0:2.1.2-41.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-12T16:58:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
RHSA-2017:2726
Vulnerability from csaf_redhat
Published
2017-09-13 21:46
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2726",
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "1481793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1481793"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2726.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-14T23:37:43+00:00",
"generator": {
"date": "2024-11-14T23:37:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2726",
"initial_release_date": "2017-09-13T21:46:06+00:00",
"revision_history": [
{
"date": "2017-09-13T21:46:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-13T21:46:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 11.0",
"product": {
"name": "Red Hat OpenStack Platform 11.0",
"product_id": "7Server-RH7-RHOS-11.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:11::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:6.1.0-3.el7ost.src",
"product": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.src",
"product_id": "instack-undercloud-0:6.1.0-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"product_id": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 11.0",
"product_id": "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-11.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.src as a component of Red Hat OpenStack Platform 11.0",
"product_id": "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
},
"product_reference": "instack-undercloud-0:6.1.0-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-11.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch",
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T21:46:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch",
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch",
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
rhsa-2017:2693
Vulnerability from csaf_redhat
Published
2017-09-12 16:58
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2693",
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2693.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security update",
"tracking": {
"current_release_date": "2024-11-14T23:37:35+00:00",
"generator": {
"date": "2024-11-14T23:37:35+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2693",
"initial_release_date": "2017-09-12T16:58:04+00:00",
"revision_history": [
{
"date": "2017-09-12T16:58:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-12T16:58:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:35+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 7.0 Director for RHEL 7",
"product": {
"name": "OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.1.2-41.el7ost.src",
"product": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.src",
"product_id": "instack-undercloud-0:2.1.2-41.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"product_id": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:2.1.2-41.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:2.1.2-41.el7ost.src as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
},
"product_reference": "instack-undercloud-0:2.1.2-41.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-12T16:58:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
RHSA-2017:2557
Vulnerability from csaf_redhat
Published
2017-08-30 13:47
Modified
2024-11-14 23:36
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2557",
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2557.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security update",
"tracking": {
"current_release_date": "2024-11-14T23:36:50+00:00",
"generator": {
"date": "2024-11-14T23:36:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2557",
"initial_release_date": "2017-08-30T13:47:40+00:00",
"revision_history": [
{
"date": "2017-08-30T13:47:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-30T13:47:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:36:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 9.0 Director for RHEL 7",
"product": {
"name": "OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:4.0.0-17.el7ost.src",
"product": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.src",
"product_id": "instack-undercloud-0:4.0.0-17.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"product_id": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:4.0.0-17.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:4.0.0-17.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
},
"product_reference": "instack-undercloud-0:4.0.0-17.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-30T13:47:40+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
rhsa-2017_2726
Vulnerability from csaf_redhat
Published
2017-09-13 21:46
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2726",
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "1481793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1481793"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2726.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-14T23:37:43+00:00",
"generator": {
"date": "2024-11-14T23:37:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2726",
"initial_release_date": "2017-09-13T21:46:06+00:00",
"revision_history": [
{
"date": "2017-09-13T21:46:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-13T21:46:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 11.0",
"product": {
"name": "Red Hat OpenStack Platform 11.0",
"product_id": "7Server-RH7-RHOS-11.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:11::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:6.1.0-3.el7ost.src",
"product": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.src",
"product_id": "instack-undercloud-0:6.1.0-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"product_id": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 11.0",
"product_id": "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-11.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.src as a component of Red Hat OpenStack Platform 11.0",
"product_id": "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
},
"product_reference": "instack-undercloud-0:6.1.0-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-11.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch",
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T21:46:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch",
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch",
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
rhsa-2017:2726
Vulnerability from csaf_redhat
Published
2017-09-13 21:46
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2726",
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "1481793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1481793"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2726.json"
}
],
"title": "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-14T23:37:43+00:00",
"generator": {
"date": "2024-11-14T23:37:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2726",
"initial_release_date": "2017-09-13T21:46:06+00:00",
"revision_history": [
{
"date": "2017-09-13T21:46:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-13T21:46:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:37:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 11.0",
"product": {
"name": "Red Hat OpenStack Platform 11.0",
"product_id": "7Server-RH7-RHOS-11.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:11::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:6.1.0-3.el7ost.src",
"product": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.src",
"product_id": "instack-undercloud-0:6.1.0-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"product": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"product_id": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 11.0",
"product_id": "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch"
},
"product_reference": "instack-undercloud-0:6.1.0-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-11.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "instack-undercloud-0:6.1.0-3.el7ost.src as a component of Red Hat OpenStack Platform 11.0",
"product_id": "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
},
"product_reference": "instack-undercloud-0:6.1.0-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-11.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Matthew Booth"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-7549",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2017-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1477403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "instack-undercloud: uses hardcoded /tmp paths",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch",
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"category": "external",
"summary": "RHBZ#1477403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7549",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
}
],
"release_date": "2017-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-13T21:46:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch",
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch",
"7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "instack-undercloud: uses hardcoded /tmp paths"
}
]
}
cve-2017-7549
Vulnerability from fkie_nvd
Published
2017-09-21 21:29
Modified
2024-11-21 03:32
Severity ?
Summary
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | instack-undercloud | 7.2.0 | |
| redhat | openstack | 12 | |
| openstack | instack-undercloud | 6.1.0 | |
| redhat | openstack | 11 | |
| openstack | instack-undercloud | 5.3.0 | |
| redhat | openstack | 10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "438CD7A3-3F93-4BC8-AE63-B61BD852D406",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*",
"matchCriteriaId": "4D4AC996-B340-4A14-86F7-FF83B4D5EC8F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C766B188-526F-48FD-B9D0-9B6C7B6696C6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*",
"matchCriteriaId": "4E9AF77C-5D49-4842-9817-AD710A919073",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8B62CC2D-0A0E-4E55-9215-83061A608926",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*",
"matchCriteriaId": "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
},
{
"lang": "es",
"value": "Se ha encontrado un error en la versi\u00f3n 7.2.0 de instack-undercloud tal y como viene incorporado en Red Hat OpenStack Platform Pike; la versi\u00f3n 6.1.0 en Red Hat OpenStack Platform Oacta y la versi\u00f3n 5.3.0 en Red Hat OpenStack Newton, en donde los scripts de preinstalaci\u00f3n y pol\u00edticas de seguridad emplearon archivos temporales no seguros. Un usuario local podr\u00eda explotar esta vulnerabilidad para llevar a cabo un ataque de enlace simb\u00f3lico que les permita sobrescribir el contenido de archivos arbitrarios."
}
],
"id": "CVE-2017-7549",
"lastModified": "2024-11-21T03:32:08.713",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.1,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-21T21:29:00.447",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100407"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100407"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-377"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
gsd-2017-7549
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2017-7549",
"description": "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"id": "GSD-2017-7549",
"references": [
"https://access.redhat.com/errata/RHSA-2017:2726",
"https://access.redhat.com/errata/RHSA-2017:2693",
"https://access.redhat.com/errata/RHSA-2017:2687",
"https://access.redhat.com/errata/RHSA-2017:2649",
"https://access.redhat.com/errata/RHSA-2017:2557"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2017-7549"
],
"details": "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"id": "GSD-2017-7549",
"modified": "2023-12-13T01:21:07.190022Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2017-7549",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "instack-undercloud",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Pike, 12: v7.2.0, Ocata, 11: v6.1.0, Newton, 10: v5.3.0"
}
]
}
}
]
},
"vendor_name": "Red Hat, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-377",
"lang": "eng",
"value": "CWE-377"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.securityfocus.com/bid/100407",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/100407"
},
{
"name": "https://access.redhat.com/errata/RHSA-2017:2557",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
},
{
"name": "https://access.redhat.com/errata/RHSA-2017:2649",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"name": "https://access.redhat.com/errata/RHSA-2017:2687",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"name": "https://access.redhat.com/errata/RHSA-2017:2693",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"name": "https://access.redhat.com/errata/RHSA-2017:2726",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "==5.3.0||==6.1.0||==7.2.0",
"affected_versions": "Version 5.3.0, version 6.1.0, version 7.2.0",
"cvss_v2": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-59",
"CWE-937"
],
"date": "2018-01-05",
"description": "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"fixed_versions": [
"5.3.1",
"6.1.1",
"7.3.0"
],
"identifier": "CVE-2017-7549",
"identifiers": [
"CVE-2017-7549"
],
"not_impacted": "All versions before 5.3.0, all versions after 5.3.0, all versions before 6.1.0, all versions after 6.1.0, all versions before 7.2.0, all versions after 7.2.0",
"package_slug": "pypi/instack-undercloud",
"pubdate": "2017-09-21",
"solution": "Upgrade to versions 5.3.1, 6.1.1, 7.3.0 or above.",
"title": "Improper Link Resolution Before File Access",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2017-7549",
"http://www.securityfocus.com/bid/100407",
"https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
],
"uuid": "29b243c5-db91-44dd-80b0-4f8b047c7e90"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2017-7549"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-377"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"name": "100407",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100407"
},
{
"name": "RHSA-2017:2726",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"name": "RHSA-2017:2693",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"name": "RHSA-2017:2687",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"name": "RHSA-2017:2649",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"name": "RHSA-2017:2557",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.1,
"impactScore": 4.7
}
},
"lastModifiedDate": "2023-02-12T23:31Z",
"publishedDate": "2017-09-21T21:29Z"
}
}
}
ghsa-53wm-97p6-582f
Vulnerability from github
Published
2022-05-13 01:07
Modified
2024-04-22 22:48
Severity ?
Summary
instack-undercloud vulnerable to symlink attack on tmp files
Details
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "instack-undercloud"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-7549"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T22:48:23Z",
"nvd_published_at": "2017-09-21T21:29:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
"id": "GHSA-53wm-97p6-582f",
"modified": "2024-04-22T22:48:23Z",
"published": "2022-05-13T01:07:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2557"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2649"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2687"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2693"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2726"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-7549"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
},
{
"type": "WEB",
"url": "https://opendev.org/openstack/instack-undercloud"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20170907040549/http://www.securityfocus.com/bid/100407"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "instack-undercloud vulnerable to symlink attack on tmp files"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.