7.2.0

CVSS 6.4 - MEDIUM

Attack vector

LOCAL

Attack complexity

HIGH

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

LOW

Availability impact

NONE

local

high complexity

openstack

CWE-377

NVD

Published: 2017-09-21

Updated: 2023-02-12

Summary

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

Vulnerable Configurations

Part	Description	Count
Application	Openstack Openstack Instack Undercloud 7.2.0 Openstack Instack Undercloud 6.1.0 Openstack Instack Undercloud 5.3.0	3
Application	Redhat Redhat Openstack 12 Redhat Openstack 11 Redhat Openstack 10	3

Common Weakness Enumeration (CWE)

CWE-377 - Insecure Temporary File

Redhat

advisories

rhsa
id RHSA-2017:2557
rhsa
id RHSA-2017:2649
rhsa
id RHSA-2017:2687
rhsa
id RHSA-2017:2693
rhsa
id RHSA-2017:2726

rpms

instack-undercloud-0:4.0.0-17.el7ost
instack-undercloud-0:5.3.0-3.el7ost
instack-undercloud-0:2.2.7-10.el7ost
instack-undercloud-0:2.1.2-41.el7ost
instack-undercloud-0:6.1.0-3.el7ost

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Redhat

References