Access-Control Flaw in OpenStack Orchestration Service by Red Hat
CVE-2017-2621

5.9MEDIUM

Key Information:

Vendor
Red Hat
Status
Openstack-heat
Vendor
CVE Published:
27 July 2018

Summary

An access-control vulnerability exists in the OpenStack Orchestration (heat) service in specific versions prior to 8.0.0, 6.1.0, and 7.0.2. This flaw allows a malicious user on the same system to access service log directories that should be restricted. The improper configuration made certain directories world-readable, potentially exposing sensitive information to unauthorized users. Organizations running affected versions are advised to review their security measures to mitigate risks associated with this vulnerability.

Affected Version(s)

openstack-heat openstack-heat-8.0.0

openstack-heat openstack-heat-6.1.0

openstack-heat openstack-heat-7.0.2

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2621
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2017:1243
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:1464
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.