CVE-2017-12155 – tripleo-heat-templates

Package

Manager: pip
Name: tripleo-heat-templates
Vulnerable Version: >=0 <7.0.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00047 pctl0.13841

Details

Openstack tripleo-heat-templates unauthenticated file access A resource-permission flaw was found in the `tripleo-heat-templates` package where `ceph.client.openstack.keyring` is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. This has been patched in versions [7.0.6](https://github.com/openstack/tripleo-heat-templates/commit/a18fd59077d97de83496c85c017b9d256a3eddd4) and [8.0.0](https://github.com/openstack/tripleo-heat-templates/commit/ce7b65f443d38a6627631f53cb22336338e97d30).

Metadata

Created: 2022-05-13T01:42:38Z
Modified: 2023-10-10T15:43:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w8gx-hhcx-px6w/GHSA-w8gx-hhcx-px6w.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-w8gx-hhcx-px6w
Finding: F006
Auto approve: 1