crowbar provision leaks admin password to all nodes in cleartext
CVE-2018-17954

9.3CRITICAL

Key Information:

Vendor: Suse
Status: Suse Openstack Cloud 7; Suse Openstack Cloud 8; Suse Openstack Cloud 9; Suse Openstack Cloud Crowbar 8
Vendor: CVE Published:; 3 April 2020

What is CVE-2018-17954?

An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE OpenStack Cloud 7 crowbar-core versions prior to 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-. SUSE OpenStack Cloud 8 ardana-cinder versions prior to 8.0+git.1579279939.ee7da88-3.39.3, ardana-. SUSE OpenStack Cloud 9 ardana-ansible versions prior to 9.0+git.1581611758.f694f7d-3.16.1, ardana-. SUSE OpenStack Cloud Crowbar 8 crowbar-core versions prior to 5.0+git.1582968668.1a55c77c5-3.35.4, crowbar-. SUSE OpenStack Cloud Crowbar 9 crowbar-core versions prior to 6.0+git.1582892022.cbd70e833-3.19.3, crowbar-.

Affected Version(s)

SUSE OpenStack Cloud 7 crowbar-core < 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-

SUSE OpenStack Cloud 8 ardana-cinder < 8.0+git.1579279939.ee7da88-3.39.3, ardana-

SUSE OpenStack Cloud 9 ardana-ansible < 9.0+git.1581611758.f694f7d-3.16.1, ardana-

References

https://bugzilla.suse.com/show_bug.cgi?id=1117080

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2020
Vulnerability Reserved
Oct 3, 2018

Credit

Dirk Mueller of SUSE

Suse

What is CVE-2018-17954?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit