Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2017-7549
Vulnerability from cvelistv5
Published
2017-09-21 20:00
Modified
2024-08-05 16:04
Severity ?
EPSS score ?
Summary
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Red Hat, Inc. | instack-undercloud |
Version: Pike, 12: v7.2.0, Ocata, 11: v6.1.0, Newton, 10: v5.3.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T16:04:12.059Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2017:2726", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { name: "100407", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/100407", }, { name: "RHSA-2017:2649", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { name: "RHSA-2017:2687", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { name: "RHSA-2017:2557", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2557", }, { name: "RHSA-2017:2693", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "instack-undercloud", vendor: "Red Hat, Inc.", versions: [ { status: "affected", version: "Pike, 12: v7.2.0, Ocata, 11: v6.1.0, Newton, 10: v5.3.0", }, ], }, ], datePublic: "2017-08-14T00:00:00", descriptions: [ { lang: "en", value: "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-377", description: "CWE-377", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-04T19:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2017:2726", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { name: "100407", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/100407", }, { name: "RHSA-2017:2649", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { name: "RHSA-2017:2687", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { name: "RHSA-2017:2557", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2557", }, { name: "RHSA-2017:2693", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2017-7549", datePublished: "2017-09-21T20:00:00Z", dateReserved: "2017-04-05T00:00:00", dateUpdated: "2024-08-05T16:04:12.059Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"438CD7A3-3F93-4BC8-AE63-B61BD852D406\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4D4AC996-B340-4A14-86F7-FF83B4D5EC8F\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C766B188-526F-48FD-B9D0-9B6C7B6696C6\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4E9AF77C-5D49-4842-9817-AD710A919073\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B62CC2D-0A0E-4E55-9215-83061A608926\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.\"}, {\"lang\": \"es\", \"value\": \"Se ha encontrado un error en la versi\\u00f3n 7.2.0 de instack-undercloud tal y como viene incorporado en Red Hat OpenStack Platform Pike; la versi\\u00f3n 6.1.0 en Red Hat OpenStack Platform Oacta y la versi\\u00f3n 5.3.0 en Red Hat OpenStack Newton, en donde los scripts de preinstalaci\\u00f3n y pol\\u00edticas de seguridad emplearon archivos temporales no seguros. Un usuario local podr\\u00eda explotar esta vulnerabilidad para llevar a cabo un ataque de enlace simb\\u00f3lico que les permita sobrescribir el contenido de archivos arbitrarios.\"}]", id: "CVE-2017-7549", lastModified: "2024-11-21T03:32:08.713", metrics: "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.1, \"impactScore\": 4.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:P/I:P/A:N\", \"baseScore\": 3.3, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.4, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2017-09-21T21:29:00.447", references: "[{\"url\": \"http://www.securityfocus.com/bid/100407\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2557\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2649\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2687\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2693\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2726\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1477403\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/100407\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2557\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2649\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2687\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2693\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2726\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1477403\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}]", sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"secalert@redhat.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-377\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-59\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2017-7549\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2017-09-21T21:29:00.447\",\"lastModified\":\"2024-11-21T03:32:08.713\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado un error en la versión 7.2.0 de instack-undercloud tal y como viene incorporado en Red Hat OpenStack Platform Pike; la versión 6.1.0 en Red Hat OpenStack Platform Oacta y la versión 5.3.0 en Red Hat OpenStack Newton, en donde los scripts de preinstalación y políticas de seguridad emplearon archivos temporales no seguros. Un usuario local podría explotar esta vulnerabilidad para llevar a cabo un ataque de enlace simbólico que les permita sobrescribir el contenido de archivos arbitrarios.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.1,\"impactScore\":4.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":3.3,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.4,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-377\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"438CD7A3-3F93-4BC8-AE63-B61BD852D406\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D4AC996-B340-4A14-86F7-FF83B4D5EC8F\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C766B188-526F-48FD-B9D0-9B6C7B6696C6\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E9AF77C-5D49-4842-9817-AD710A919073\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B62CC2D-0A0E-4E55-9215-83061A608926\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/100407\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2557\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2649\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2687\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2693\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2726\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1477403\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/100407\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2557\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2649\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2687\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2693\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2726\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1477403\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}", }, }
RHSA-2017:2726
Vulnerability from csaf_redhat
Published
2017-09-13 21:46
Modified
2025-03-19 14:34
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2726", url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "1481793", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1481793", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2726.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update", tracking: { current_release_date: "2025-03-19T14:34:27+00:00", generator: { date: "2025-03-19T14:34:27+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2017:2726", initial_release_date: "2017-09-13T21:46:06+00:00", revision_history: [ { date: "2017-09-13T21:46:06+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-13T21:46:06+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T14:34:27+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenStack Platform 11.0", product: { name: "Red Hat OpenStack Platform 11.0", product_id: "7Server-RH7-RHOS-11.0", product_identification_helper: { cpe: "cpe:/a:redhat:openstack:11::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:6.1.0-3.el7ost.src", product: { name: "instack-undercloud-0:6.1.0-3.el7ost.src", product_id: "instack-undercloud-0:6.1.0-3.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:6.1.0-3.el7ost.noarch", product: { name: "instack-undercloud-0:6.1.0-3.el7ost.noarch", product_id: "instack-undercloud-0:6.1.0-3.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:6.1.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 11.0", product_id: "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", }, product_reference: "instack-undercloud-0:6.1.0-3.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-11.0", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:6.1.0-3.el7ost.src as a component of Red Hat OpenStack Platform 11.0", product_id: "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", }, product_reference: "instack-undercloud-0:6.1.0-3.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-11.0", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-13T21:46:06+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2726", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
RHSA-2017:2557
Vulnerability from csaf_redhat
Published
2017-08-30 13:47
Modified
2024-11-14 23:36
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2557", url: "https://access.redhat.com/errata/RHSA-2017:2557", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2557.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security update", tracking: { current_release_date: "2024-11-14T23:36:50+00:00", generator: { date: "2024-11-14T23:36:50+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2557", initial_release_date: "2017-08-30T13:47:40+00:00", revision_history: [ { date: "2017-08-30T13:47:40+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-30T13:47:40+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:36:50+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenStack 9.0 Director for RHEL 7", product: { name: "OpenStack 9.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-9.0-Director", product_identification_helper: { cpe: "cpe:/a:redhat:openstack-director:9::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:4.0.0-17.el7ost.src", product: { name: "instack-undercloud-0:4.0.0-17.el7ost.src", product_id: "instack-undercloud-0:4.0.0-17.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:4.0.0-17.el7ost.noarch", product: { name: "instack-undercloud-0:4.0.0-17.el7ost.noarch", product_id: "instack-undercloud-0:4.0.0-17.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:4.0.0-17.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", }, product_reference: "instack-undercloud-0:4.0.0-17.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-9.0-Director", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:4.0.0-17.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", }, product_reference: "instack-undercloud-0:4.0.0-17.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-9.0-Director", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-30T13:47:40+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2557", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017:2687
Vulnerability from csaf_redhat
Published
2017-09-12 17:09
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2687", url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1324894", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1324894", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2687.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security update", tracking: { current_release_date: "2024-11-14T23:37:39+00:00", generator: { date: "2024-11-14T23:37:39+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2687", initial_release_date: "2017-09-12T17:09:10+00:00", revision_history: [ { date: "2017-09-12T17:09:10+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-12T17:09:10+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:37:39+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenStack 8.0 Director for RHEL 7", product: { name: "OpenStack 8.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-8.0-Director", product_identification_helper: { cpe: "cpe:/a:redhat:openstack-director:8::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.2.7-10.el7ost.src", product: { name: "instack-undercloud-0:2.2.7-10.el7ost.src", product_id: "instack-undercloud-0:2.2.7-10.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.2.7-10.el7ost.noarch", product: { name: "instack-undercloud-0:2.2.7-10.el7ost.noarch", product_id: "instack-undercloud-0:2.2.7-10.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.2.7-10.el7ost.noarch as a component of OpenStack 8.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", }, product_reference: "instack-undercloud-0:2.2.7-10.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-8.0-Director", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.2.7-10.el7ost.src as a component of OpenStack 8.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", }, product_reference: "instack-undercloud-0:2.2.7-10.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-8.0-Director", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-12T17:09:10+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2687", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017:2693
Vulnerability from csaf_redhat
Published
2017-09-12 16:58
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2693", url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2693.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security update", tracking: { current_release_date: "2024-11-14T23:37:35+00:00", generator: { date: "2024-11-14T23:37:35+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2693", initial_release_date: "2017-09-12T16:58:04+00:00", revision_history: [ { date: "2017-09-12T16:58:04+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-12T16:58:05+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:37:35+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenStack 7.0 Director for RHEL 7", product: { name: "OpenStack 7.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-7.0-Director", product_identification_helper: { cpe: "cpe:/a:redhat:openstack-director:7::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.1.2-41.el7ost.src", product: { name: "instack-undercloud-0:2.1.2-41.el7ost.src", product_id: "instack-undercloud-0:2.1.2-41.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.1.2-41.el7ost.noarch", product: { name: "instack-undercloud-0:2.1.2-41.el7ost.noarch", product_id: "instack-undercloud-0:2.1.2-41.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.1.2-41.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", }, product_reference: "instack-undercloud-0:2.1.2-41.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-7.0-Director", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.1.2-41.el7ost.src as a component of OpenStack 7.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", }, product_reference: "instack-undercloud-0:2.1.2-41.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-7.0-Director", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-12T16:58:04+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2693", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017:2649
Vulnerability from csaf_redhat
Published
2017-09-06 16:53
Modified
2025-03-19 14:34
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version:
instack-undercloud (5.3.0). (BZ#1479841)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security
policy scripts used insecure temporary files. A local user could exploit
this flaw to conduct a symbolic-link attack, allowing them to overwrite the
contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version:\ninstack-undercloud (5.3.0). (BZ#1479841)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security\npolicy scripts used insecure temporary files. A local user could exploit\nthis flaw to conduct a symbolic-link attack, allowing them to overwrite the\ncontents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2649", url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1465616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465616", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "1479841", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1479841", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2649.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update", tracking: { current_release_date: "2025-03-19T14:34:26+00:00", generator: { date: "2025-03-19T14:34:26+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2017:2649", initial_release_date: "2017-09-06T16:53:50+00:00", revision_history: [ { date: "2017-09-06T16:53:50+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-06T16:53:50+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T14:34:26+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenStack Platform 10.0", product: { name: "Red Hat OpenStack Platform 10.0", product_id: "7Server-RH7-RHOS-10.0", product_identification_helper: { cpe: "cpe:/a:redhat:openstack:10::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:5.3.0-3.el7ost.src", product: { name: "instack-undercloud-0:5.3.0-3.el7ost.src", product_id: "instack-undercloud-0:5.3.0-3.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:5.3.0-3.el7ost.noarch", product: { name: "instack-undercloud-0:5.3.0-3.el7ost.noarch", product_id: "instack-undercloud-0:5.3.0-3.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:5.3.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0", product_id: "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", }, product_reference: "instack-undercloud-0:5.3.0-3.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-10.0", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:5.3.0-3.el7ost.src as a component of Red Hat OpenStack Platform 10.0", product_id: "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", }, product_reference: "instack-undercloud-0:5.3.0-3.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-10.0", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-06T16:53:50+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2649", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
RHSA-2017:2693
Vulnerability from csaf_redhat
Published
2017-09-12 16:58
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2693", url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2693.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security update", tracking: { current_release_date: "2024-11-14T23:37:35+00:00", generator: { date: "2024-11-14T23:37:35+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2693", initial_release_date: "2017-09-12T16:58:04+00:00", revision_history: [ { date: "2017-09-12T16:58:04+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-12T16:58:05+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:37:35+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenStack 7.0 Director for RHEL 7", product: { name: "OpenStack 7.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-7.0-Director", product_identification_helper: { cpe: "cpe:/a:redhat:openstack-director:7::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.1.2-41.el7ost.src", product: { name: "instack-undercloud-0:2.1.2-41.el7ost.src", product_id: "instack-undercloud-0:2.1.2-41.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.1.2-41.el7ost.noarch", product: { name: "instack-undercloud-0:2.1.2-41.el7ost.noarch", product_id: "instack-undercloud-0:2.1.2-41.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.1.2-41.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", }, product_reference: "instack-undercloud-0:2.1.2-41.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-7.0-Director", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.1.2-41.el7ost.src as a component of OpenStack 7.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", }, product_reference: "instack-undercloud-0:2.1.2-41.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-7.0-Director", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-12T16:58:04+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2693", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017:2557
Vulnerability from csaf_redhat
Published
2017-08-30 13:47
Modified
2024-11-14 23:36
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2557", url: "https://access.redhat.com/errata/RHSA-2017:2557", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2557.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security update", tracking: { current_release_date: "2024-11-14T23:36:50+00:00", generator: { date: "2024-11-14T23:36:50+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2557", initial_release_date: "2017-08-30T13:47:40+00:00", revision_history: [ { date: "2017-08-30T13:47:40+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-30T13:47:40+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:36:50+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenStack 9.0 Director for RHEL 7", product: { name: "OpenStack 9.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-9.0-Director", product_identification_helper: { cpe: "cpe:/a:redhat:openstack-director:9::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:4.0.0-17.el7ost.src", product: { name: "instack-undercloud-0:4.0.0-17.el7ost.src", product_id: "instack-undercloud-0:4.0.0-17.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:4.0.0-17.el7ost.noarch", product: { name: "instack-undercloud-0:4.0.0-17.el7ost.noarch", product_id: "instack-undercloud-0:4.0.0-17.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:4.0.0-17.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", }, product_reference: "instack-undercloud-0:4.0.0-17.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-9.0-Director", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:4.0.0-17.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", }, product_reference: "instack-undercloud-0:4.0.0-17.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-9.0-Director", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-30T13:47:40+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2557", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017_2687
Vulnerability from csaf_redhat
Published
2017-09-12 17:09
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2687", url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1324894", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1324894", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2687.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security update", tracking: { current_release_date: "2024-11-14T23:37:39+00:00", generator: { date: "2024-11-14T23:37:39+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2687", initial_release_date: "2017-09-12T17:09:10+00:00", revision_history: [ { date: "2017-09-12T17:09:10+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-12T17:09:10+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:37:39+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenStack 8.0 Director for RHEL 7", product: { name: "OpenStack 8.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-8.0-Director", product_identification_helper: { cpe: "cpe:/a:redhat:openstack-director:8::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.2.7-10.el7ost.src", product: { name: "instack-undercloud-0:2.2.7-10.el7ost.src", product_id: "instack-undercloud-0:2.2.7-10.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.2.7-10.el7ost.noarch", product: { name: "instack-undercloud-0:2.2.7-10.el7ost.noarch", product_id: "instack-undercloud-0:2.2.7-10.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.2.7-10.el7ost.noarch as a component of OpenStack 8.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", }, product_reference: "instack-undercloud-0:2.2.7-10.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-8.0-Director", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.2.7-10.el7ost.src as a component of OpenStack 8.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", }, product_reference: "instack-undercloud-0:2.2.7-10.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-8.0-Director", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-12T17:09:10+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2687", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017_2557
Vulnerability from csaf_redhat
Published
2017-08-30 13:47
Modified
2024-11-14 23:36
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2557", url: "https://access.redhat.com/errata/RHSA-2017:2557", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2557.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security update", tracking: { current_release_date: "2024-11-14T23:36:50+00:00", generator: { date: "2024-11-14T23:36:50+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2557", initial_release_date: "2017-08-30T13:47:40+00:00", revision_history: [ { date: "2017-08-30T13:47:40+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-30T13:47:40+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:36:50+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenStack 9.0 Director for RHEL 7", product: { name: "OpenStack 9.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-9.0-Director", product_identification_helper: { cpe: "cpe:/a:redhat:openstack-director:9::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:4.0.0-17.el7ost.src", product: { name: "instack-undercloud-0:4.0.0-17.el7ost.src", product_id: "instack-undercloud-0:4.0.0-17.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:4.0.0-17.el7ost.noarch", product: { name: "instack-undercloud-0:4.0.0-17.el7ost.noarch", product_id: "instack-undercloud-0:4.0.0-17.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@4.0.0-17.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:4.0.0-17.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", }, product_reference: "instack-undercloud-0:4.0.0-17.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-9.0-Director", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:4.0.0-17.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", }, product_reference: "instack-undercloud-0:4.0.0-17.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-9.0-Director", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-30T13:47:40+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2557", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.noarch", "7Server-RH7-RHOS-9.0-Director:instack-undercloud-0:4.0.0-17.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017:2726
Vulnerability from csaf_redhat
Published
2017-09-13 21:46
Modified
2025-03-19 14:34
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2726", url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "1481793", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1481793", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2726.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update", tracking: { current_release_date: "2025-03-19T14:34:27+00:00", generator: { date: "2025-03-19T14:34:27+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2017:2726", initial_release_date: "2017-09-13T21:46:06+00:00", revision_history: [ { date: "2017-09-13T21:46:06+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-13T21:46:06+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T14:34:27+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenStack Platform 11.0", product: { name: "Red Hat OpenStack Platform 11.0", product_id: "7Server-RH7-RHOS-11.0", product_identification_helper: { cpe: "cpe:/a:redhat:openstack:11::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:6.1.0-3.el7ost.src", product: { name: "instack-undercloud-0:6.1.0-3.el7ost.src", product_id: "instack-undercloud-0:6.1.0-3.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:6.1.0-3.el7ost.noarch", product: { name: "instack-undercloud-0:6.1.0-3.el7ost.noarch", product_id: "instack-undercloud-0:6.1.0-3.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:6.1.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 11.0", product_id: "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", }, product_reference: "instack-undercloud-0:6.1.0-3.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-11.0", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:6.1.0-3.el7ost.src as a component of Red Hat OpenStack Platform 11.0", product_id: "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", }, product_reference: "instack-undercloud-0:6.1.0-3.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-11.0", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-13T21:46:06+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2726", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017_2693
Vulnerability from csaf_redhat
Published
2017-09-12 16:58
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2693", url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2693.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security update", tracking: { current_release_date: "2024-11-14T23:37:35+00:00", generator: { date: "2024-11-14T23:37:35+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2693", initial_release_date: "2017-09-12T16:58:04+00:00", revision_history: [ { date: "2017-09-12T16:58:04+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-12T16:58:05+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:37:35+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenStack 7.0 Director for RHEL 7", product: { name: "OpenStack 7.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-7.0-Director", product_identification_helper: { cpe: "cpe:/a:redhat:openstack-director:7::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.1.2-41.el7ost.src", product: { name: "instack-undercloud-0:2.1.2-41.el7ost.src", product_id: "instack-undercloud-0:2.1.2-41.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.1.2-41.el7ost.noarch", product: { name: "instack-undercloud-0:2.1.2-41.el7ost.noarch", product_id: "instack-undercloud-0:2.1.2-41.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.1.2-41.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.1.2-41.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", }, product_reference: "instack-undercloud-0:2.1.2-41.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-7.0-Director", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.1.2-41.el7ost.src as a component of OpenStack 7.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", }, product_reference: "instack-undercloud-0:2.1.2-41.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-7.0-Director", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-12T16:58:04+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2693", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.noarch", "7Server-RH7-RHOS-7.0-Director:instack-undercloud-0:2.1.2-41.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
RHSA-2017:2687
Vulnerability from csaf_redhat
Published
2017-09-12 17:09
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 8.0 (Liberty) director.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2687", url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1324894", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1324894", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2687.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security update", tracking: { current_release_date: "2024-11-14T23:37:39+00:00", generator: { date: "2024-11-14T23:37:39+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2687", initial_release_date: "2017-09-12T17:09:10+00:00", revision_history: [ { date: "2017-09-12T17:09:10+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-12T17:09:10+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:37:39+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenStack 8.0 Director for RHEL 7", product: { name: "OpenStack 8.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-8.0-Director", product_identification_helper: { cpe: "cpe:/a:redhat:openstack-director:8::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.2.7-10.el7ost.src", product: { name: "instack-undercloud-0:2.2.7-10.el7ost.src", product_id: "instack-undercloud-0:2.2.7-10.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:2.2.7-10.el7ost.noarch", product: { name: "instack-undercloud-0:2.2.7-10.el7ost.noarch", product_id: "instack-undercloud-0:2.2.7-10.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@2.2.7-10.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.2.7-10.el7ost.noarch as a component of OpenStack 8.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", }, product_reference: "instack-undercloud-0:2.2.7-10.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-8.0-Director", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:2.2.7-10.el7ost.src as a component of OpenStack 8.0 Director for RHEL 7", product_id: "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", }, product_reference: "instack-undercloud-0:2.2.7-10.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-8.0-Director", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-12T17:09:10+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2687", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.noarch", "7Server-RH7-RHOS-8.0-Director:instack-undercloud-0:2.2.7-10.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017_2649
Vulnerability from csaf_redhat
Published
2017-09-06 16:53
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version:
instack-undercloud (5.3.0). (BZ#1479841)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security
policy scripts used insecure temporary files. A local user could exploit
this flaw to conduct a symbolic-link attack, allowing them to overwrite the
contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version:\ninstack-undercloud (5.3.0). (BZ#1479841)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security\npolicy scripts used insecure temporary files. A local user could exploit\nthis flaw to conduct a symbolic-link attack, allowing them to overwrite the\ncontents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2649", url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1465616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465616", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "1479841", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1479841", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2649.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update", tracking: { current_release_date: "2024-11-14T23:37:41+00:00", generator: { date: "2024-11-14T23:37:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2649", initial_release_date: "2017-09-06T16:53:50+00:00", revision_history: [ { date: "2017-09-06T16:53:50+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-06T16:53:50+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:37:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenStack Platform 10.0", product: { name: "Red Hat OpenStack Platform 10.0", product_id: "7Server-RH7-RHOS-10.0", product_identification_helper: { cpe: "cpe:/a:redhat:openstack:10::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:5.3.0-3.el7ost.src", product: { name: "instack-undercloud-0:5.3.0-3.el7ost.src", product_id: "instack-undercloud-0:5.3.0-3.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:5.3.0-3.el7ost.noarch", product: { name: "instack-undercloud-0:5.3.0-3.el7ost.noarch", product_id: "instack-undercloud-0:5.3.0-3.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:5.3.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0", product_id: "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", }, product_reference: "instack-undercloud-0:5.3.0-3.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-10.0", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:5.3.0-3.el7ost.src as a component of Red Hat OpenStack Platform 10.0", product_id: "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", }, product_reference: "instack-undercloud-0:5.3.0-3.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-10.0", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-06T16:53:50+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2649", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
rhsa-2017_2726
Vulnerability from csaf_redhat
Published
2017-09-13 21:46
Modified
2024-11-14 23:37
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 11.0 (Ocata).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version: instack-undercloud (6.1.0). (BZ#1481793)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2726", url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "1481793", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1481793", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2726.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update", tracking: { current_release_date: "2024-11-14T23:37:43+00:00", generator: { date: "2024-11-14T23:37:43+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2726", initial_release_date: "2017-09-13T21:46:06+00:00", revision_history: [ { date: "2017-09-13T21:46:06+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-13T21:46:06+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:37:43+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenStack Platform 11.0", product: { name: "Red Hat OpenStack Platform 11.0", product_id: "7Server-RH7-RHOS-11.0", product_identification_helper: { cpe: "cpe:/a:redhat:openstack:11::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:6.1.0-3.el7ost.src", product: { name: "instack-undercloud-0:6.1.0-3.el7ost.src", product_id: "instack-undercloud-0:6.1.0-3.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:6.1.0-3.el7ost.noarch", product: { name: "instack-undercloud-0:6.1.0-3.el7ost.noarch", product_id: "instack-undercloud-0:6.1.0-3.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@6.1.0-3.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:6.1.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 11.0", product_id: "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", }, product_reference: "instack-undercloud-0:6.1.0-3.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-11.0", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:6.1.0-3.el7ost.src as a component of Red Hat OpenStack Platform 11.0", product_id: "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", }, product_reference: "instack-undercloud-0:6.1.0-3.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-11.0", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-13T21:46:06+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2726", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.noarch", "7Server-RH7-RHOS-11.0:instack-undercloud-0:6.1.0-3.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
RHSA-2017:2649
Vulnerability from csaf_redhat
Published
2017-09-06 16:53
Modified
2025-03-19 14:34
Summary
Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update
Notes
Topic
An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).
The following packages have been upgraded to a later upstream version:
instack-undercloud (5.3.0). (BZ#1479841)
Security Fix(es):
* A flaw was found in instack-undercloud where pre-install and security
policy scripts used insecure temporary files. A local user could exploit
this flaw to conduct a symbolic-link attack, allowing them to overwrite the
contents of arbitrary files. (CVE-2017-7549)
This issue was discovered by Matthew Booth (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for instack-undercloud is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "instack-undercloud provides a collection of scripts and elements that can be used to install an OpenStack undercloud (using python-instack).\n\nThe following packages have been upgraded to a later upstream version:\ninstack-undercloud (5.3.0). (BZ#1479841)\n\nSecurity Fix(es):\n\n* A flaw was found in instack-undercloud where pre-install and security\npolicy scripts used insecure temporary files. A local user could exploit\nthis flaw to conduct a symbolic-link attack, allowing them to overwrite the\ncontents of arbitrary files. (CVE-2017-7549)\n\nThis issue was discovered by Matthew Booth (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2649", url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1465616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465616", }, { category: "external", summary: "1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "1479841", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1479841", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2649.json", }, ], title: "Red Hat Security Advisory: instack-undercloud security, bug fix, and enhancement update", tracking: { current_release_date: "2025-03-19T14:34:26+00:00", generator: { date: "2025-03-19T14:34:26+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2017:2649", initial_release_date: "2017-09-06T16:53:50+00:00", revision_history: [ { date: "2017-09-06T16:53:50+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-06T16:53:50+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T14:34:26+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenStack Platform 10.0", product: { name: "Red Hat OpenStack Platform 10.0", product_id: "7Server-RH7-RHOS-10.0", product_identification_helper: { cpe: "cpe:/a:redhat:openstack:10::el7", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:5.3.0-3.el7ost.src", product: { name: "instack-undercloud-0:5.3.0-3.el7ost.src", product_id: "instack-undercloud-0:5.3.0-3.el7ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "instack-undercloud-0:5.3.0-3.el7ost.noarch", product: { name: "instack-undercloud-0:5.3.0-3.el7ost.noarch", product_id: "instack-undercloud-0:5.3.0-3.el7ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/instack-undercloud@5.3.0-3.el7ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:5.3.0-3.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0", product_id: "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", }, product_reference: "instack-undercloud-0:5.3.0-3.el7ost.noarch", relates_to_product_reference: "7Server-RH7-RHOS-10.0", }, { category: "default_component_of", full_product_name: { name: "instack-undercloud-0:5.3.0-3.el7ost.src as a component of Red Hat OpenStack Platform 10.0", product_id: "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", }, product_reference: "instack-undercloud-0:5.3.0-3.el7ost.src", relates_to_product_reference: "7Server-RH7-RHOS-10.0", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Matthew Booth", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7549", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2017-07-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1477403", }, ], notes: [ { category: "description", text: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", title: "Vulnerability description", }, { category: "summary", text: "instack-undercloud: uses hardcoded /tmp paths", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { category: "external", summary: "RHBZ#1477403", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7549", url: "https://www.cve.org/CVERecord?id=CVE-2017-7549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, ], release_date: "2017-08-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-06T16:53:50+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2649", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", version: "3.0", }, products: [ "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.noarch", "7Server-RH7-RHOS-10.0:instack-undercloud-0:5.3.0-3.el7ost.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "instack-undercloud: uses hardcoded /tmp paths", }, ], }
fkie_cve-2017-7549
Vulnerability from fkie_nvd
Published
2017-09-21 21:29
Modified
2024-11-21 03:32
Severity ?
Summary
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | instack-undercloud | 7.2.0 | |
| redhat | openstack | 12 | |
| openstack | instack-undercloud | 6.1.0 | |
| redhat | openstack | 11 | |
| openstack | instack-undercloud | 5.3.0 | |
| redhat | openstack | 10 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*", matchCriteriaId: "438CD7A3-3F93-4BC8-AE63-B61BD852D406", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*", matchCriteriaId: "4D4AC996-B340-4A14-86F7-FF83B4D5EC8F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*", matchCriteriaId: "C766B188-526F-48FD-B9D0-9B6C7B6696C6", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*", matchCriteriaId: "4E9AF77C-5D49-4842-9817-AD710A919073", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*", matchCriteriaId: "8B62CC2D-0A0E-4E55-9215-83061A608926", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", matchCriteriaId: "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", }, { lang: "es", value: "Se ha encontrado un error en la versión 7.2.0 de instack-undercloud tal y como viene incorporado en Red Hat OpenStack Platform Pike; la versión 6.1.0 en Red Hat OpenStack Platform Oacta y la versión 5.3.0 en Red Hat OpenStack Newton, en donde los scripts de preinstalación y políticas de seguridad emplearon archivos temporales no seguros. Un usuario local podría explotar esta vulnerabilidad para llevar a cabo un ataque de enlace simbólico que les permita sobrescribir el contenido de archivos arbitrarios.", }, ], id: "CVE-2017-7549", lastModified: "2024-11-21T03:32:08.713", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 3.4, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", version: "3.0", }, exploitabilityScore: 1.1, impactScore: 4.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-09-21T21:29:00.447", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100407", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2017:2557", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100407", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2557", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-377", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-59", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
gsd-2017-7549
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
Aliases
Aliases
{ GSD: { alias: "CVE-2017-7549", description: "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", id: "GSD-2017-7549", references: [ "https://access.redhat.com/errata/RHSA-2017:2726", "https://access.redhat.com/errata/RHSA-2017:2693", "https://access.redhat.com/errata/RHSA-2017:2687", "https://access.redhat.com/errata/RHSA-2017:2649", "https://access.redhat.com/errata/RHSA-2017:2557", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2017-7549", ], details: "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", id: "GSD-2017-7549", modified: "2023-12-13T01:21:07.190022Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2017-7549", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "instack-undercloud", version: { version_data: [ { version_affected: "=", version_value: "Pike, 12: v7.2.0, Ocata, 11: v6.1.0, Newton, 10: v5.3.0", }, ], }, }, ], }, vendor_name: "Red Hat, Inc.", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", }, ], }, problemtype: { problemtype_data: [ { description: [ { cweId: "CWE-377", lang: "eng", value: "CWE-377", }, ], }, ], }, references: { reference_data: [ { name: "http://www.securityfocus.com/bid/100407", refsource: "MISC", url: "http://www.securityfocus.com/bid/100407", }, { name: "https://access.redhat.com/errata/RHSA-2017:2557", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2017:2557", }, { name: "https://access.redhat.com/errata/RHSA-2017:2649", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { name: "https://access.redhat.com/errata/RHSA-2017:2687", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { name: "https://access.redhat.com/errata/RHSA-2017:2693", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { name: "https://access.redhat.com/errata/RHSA-2017:2726", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "==5.3.0||==6.1.0||==7.2.0", affected_versions: "Version 5.3.0, version 6.1.0, version 7.2.0", cvss_v2: "AV:L/AC:M/Au:N/C:P/I:P/A:N", cvss_v3: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", cwe_ids: [ "CWE-1035", "CWE-59", "CWE-937", ], date: "2018-01-05", description: "A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", fixed_versions: [ "5.3.1", "6.1.1", "7.3.0", ], identifier: "CVE-2017-7549", identifiers: [ "CVE-2017-7549", ], not_impacted: "All versions before 5.3.0, all versions after 5.3.0, all versions before 6.1.0, all versions after 6.1.0, all versions before 7.2.0, all versions after 7.2.0", package_slug: "pypi/instack-undercloud", pubdate: "2017-09-21", solution: "Upgrade to versions 5.3.1, 6.1.1, 7.3.0 or above.", title: "Improper Link Resolution Before File Access", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", "http://www.securityfocus.com/bid/100407", "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", ], uuid: "29b243c5-db91-44dd-80b0-4f8b047c7e90", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:openstack:instack-undercloud:7.2.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, ], operator: "OR", }, ], cpe_match: [], operator: "AND", }, { children: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:openstack:instack-undercloud:6.1.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, ], operator: "OR", }, ], cpe_match: [], operator: "AND", }, { children: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:openstack:instack-undercloud:5.3.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, ], operator: "OR", }, ], cpe_match: [], operator: "AND", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2017-7549", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-377", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", refsource: "CONFIRM", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { name: "100407", refsource: "BID", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100407", }, { name: "RHSA-2017:2726", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { name: "RHSA-2017:2693", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { name: "RHSA-2017:2687", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { name: "RHSA-2017:2649", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { name: "RHSA-2017:2557", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2557", }, ], }, }, impact: { baseMetricV2: { cvssV2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 3.4, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "LOW", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", version: "3.0", }, exploitabilityScore: 1.1, impactScore: 4.7, }, }, lastModifiedDate: "2023-02-12T23:31Z", publishedDate: "2017-09-21T21:29Z", }, }, }
ghsa-53wm-97p6-582f
Vulnerability from github
Published
2022-05-13 01:07
Modified
2024-04-22 22:48
Severity ?
Summary
instack-undercloud vulnerable to symlink attack on tmp files
Details
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
{ affected: [ { package: { ecosystem: "PyPI", name: "instack-undercloud", }, ranges: [ { events: [ { introduced: "0", }, { last_affected: "7.2.0", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2017-7549", ], database_specific: { cwe_ids: [ "CWE-377", "CWE-59", ], github_reviewed: true, github_reviewed_at: "2024-04-22T22:48:23Z", nvd_published_at: "2017-09-21T21:29:00Z", severity: "MODERATE", }, details: "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.", id: "GHSA-53wm-97p6-582f", modified: "2024-04-22T22:48:23Z", published: "2022-05-13T01:07:33Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7549", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2557", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2649", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2687", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2693", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2726", }, { type: "WEB", url: "https://access.redhat.com/security/cve/CVE-2017-7549", }, { type: "WEB", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1477403", }, { type: "WEB", url: "https://opendev.org/openstack/instack-undercloud", }, { type: "WEB", url: "https://web.archive.org/web/20170907040549/http://www.securityfocus.com/bid/100407", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", type: "CVSS_V3", }, ], summary: "instack-undercloud vulnerable to symlink attack on tmp files", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.