FKIE_CVE-2017-12155

Vulnerability from fkie_nvd - Published: 2017-12-12 20:29 - Updated: 2025-04-20 01:37
Severity ?
6.3 (Medium) - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2018:0602
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2018:1593
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2018:1627
secalert@redhat.comhttps://bugs.launchpad.net/tripleo/+bug/1720787Issue Tracking, Patch
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1489360Issue Tracking, Mitigation
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:0602
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:1593
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:1627
af854a3a-2127-422b-91ae-364da2661108https://bugs.launchpad.net/tripleo/+bug/1720787Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1489360Issue Tracking, Mitigation
Impacted products
Vendor Product Version
ceph ceph -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ceph:ceph:-:*:*:*:*:openstack:*:*",
              "matchCriteriaId": "5CF5A09E-C354-401D-8415-B6BA994C857E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 una vulnerabilidad de permisos de recursos en el paquete openstack-tripleo-heat-templates donde se crea ceph.client.openstack.keyring con el permiso world-readable. Un atacante local con acceso a la clave podr\u00eda leer o modificar datos en los pools de memoria del cl\u00faster de Cepth para OpenStack como si el atacante fuera el servicio OpenStack, pudiendo leer o modificar datos en un volumen de OpenStack Block Storage."
    }
  ],
  "id": "CVE-2017-12155",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-12-12T20:29:00.227",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2018:0602"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2018:1593"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2018:1627"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Mitigation"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2018:0602"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2018:1593"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2018:1627"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mitigation"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.