Vulnerabilities > CVE-2017-7549 - Insecure Temporary File vulnerability in Openstack Instack-Undercloud 5.3.0/6.1.0/7.2.0

047910
CVSS 6.4 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
LOW
Availability impact
NONE
local
high complexity
openstack
CWE-377

Summary

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

Common Weakness Enumeration (CWE)

Redhat

advisories
  • rhsa
    idRHSA-2017:2557
  • rhsa
    idRHSA-2017:2649
  • rhsa
    idRHSA-2017:2687
  • rhsa
    idRHSA-2017:2693
  • rhsa
    idRHSA-2017:2726
rpms
  • instack-undercloud-0:4.0.0-17.el7ost
  • instack-undercloud-0:5.3.0-3.el7ost
  • instack-undercloud-0:2.2.7-10.el7ost
  • instack-undercloud-0:2.1.2-41.el7ost
  • instack-undercloud-0:6.1.0-3.el7ost