Resource-Permission Flaw in OpenStack Tripleo Heat Templates
CVE-2017-12155
6.3MEDIUM
Key Information:
- Vendor
- Openstack
- Vendor
- CVE Published:
- 12 December 2017
Summary
A resource-permission flaw exists in the openstack-tripleo-heat-templates package, where the ceph.client.openstack.keyring is inadvertently created with world-readable permissions. This misconfiguration allows a local attacker with access to the key to act as the OpenStack service, presenting significant risks that include unauthorized reading and modification of data within Ceph cluster pools. Attackers could potentially gain access to sensitive information stored in OpenStack Block Storage volumes, leading to severe consequences for data integrity and confidentiality.
Affected Version(s)
openstack-tripleo-heat-templates Newton, Ocata, Pike and possibly older
References
CVSS V3.1
Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved