Access-Control Flaw in OpenStack Orchestration Service by Red Hat
CVE-2017-2621
5.9MEDIUM
Summary
An access-control vulnerability exists in the OpenStack Orchestration (heat) service in specific versions prior to 8.0.0, 6.1.0, and 7.0.2. This flaw allows a malicious user on the same system to access service log directories that should be restricted. The improper configuration made certain directories world-readable, potentially exposing sensitive information to unauthorized users. Organizations running affected versions are advised to review their security measures to mitigate risks associated with this vulnerability.
Affected Version(s)
openstack-heat openstack-heat-8.0.0
openstack-heat openstack-heat-6.1.0
openstack-heat openstack-heat-7.0.2
References
CVSS V3.1
Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved