Private Configuration Information Exposed in OpenStack Designate
CVE-2023-6725

6.6MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Openstack Platform 17.1 For Rhel 8; Red Hat Openstack Platform 17.1 For Rhel 9; Red Hat Openstack Platform 16.1; Red Hat Openstack Platform 16.2
Vendor: CVE Published:; 15 March 2024

Summary

An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.

Affected Version(s)

Red Hat OpenStack Platform 17.1 for RHEL 8 0:14.3.1-17.1.20231103003762.el8ost

Red Hat OpenStack Platform 17.1 for RHEL 8 0:3.3.1-17.1.20231101233754.el8ost

Red Hat OpenStack Platform 17.1 for RHEL 9 0:14.3.1-17.1.20231103010840.el9ost

References

https://access.redhat.com/errata/RHSA-2024:2736

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2024:2770

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/security/cve/CVE-2023-6725

vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 15, 2024
Vulnerability Reserved
Dec 12, 2023

Collectors

NVD DatabaseMitre Database

Credit

This issue was discovered by Michael Johnson (Red Hat).