GHSA-53wm-97p6-582f

Source

https://github.com/advisories/GHSA-53wm-97p6-582f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-53wm-97p6-582f/GHSA-53wm-97p6-582f.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-53wm-97p6-582f

Aliases

CVE-2017-7549

Published

2022-05-13T01:07:33Z

Modified

2024-04-22T23:12:44.083390Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator

Summary

instack-undercloud vulnerable to symlink attack on tmp files

Details

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

Database specific

{
    "nvd_published_at": "2017-09-21T21:29:00Z",
    "cwe_ids": [
        "CWE-377",
        "CWE-59"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T22:48:23Z"
}

References

Affected packages

PyPI / instack-undercloud

Package

Name: instack-undercloud; View open source insights on deps.dev
Purl: pkg:pypi/instack-undercloud

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

7.2.0

Affected versions

4.*

4.0.1.dev90

4.1.0

4.2.0

4.2.1

5.*

5.0.0.0b1

5.0.0.0b2

5.0.0.0b3

5.0.0.0rc1

5.0.0.0rc2

5.0.0.0rc3

5.0.0

5.1.0

5.2.0

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

6.*

6.0.0.0b2

6.0.0.0rc1

6.0.0.0rc2

6.0.0

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.1.5

6.1.6

6.1.7

6.1.8

7.*

7.0.0.0b1

7.0.0

7.1.0

7.2.0