CVE-2015-3156
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2015-3156
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2015-3156.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2015-3156
- Aliases
- Downstream
- Related
- Published
- 2017-08-11T21:29:00Z
- Modified
- 2025-07-29T06:51:19.506287Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The writeconfig function in trove/guestagent/datastore/experimental/mongodb/service.py, resetconfiguration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, writeconfig function in trove/guestagent/datastore/experimental/redis/service.py, writemycnf function in trove/guestagent/datastore/mysql/service.py, InnoBackupEx::runprepare function in trove/guestagent/strategies/restore/mysqlimpl.py, InnoBackupEx::cmd function in trove/guestagent/strategies/backup/mysqlimpl.py, MySQLDump::cmd in trove/guestagent/strategies/backup/mysqlimpl.py, InnoBackupExIncremental::cmd function in trove/guestagent/strategies/backup/mysqlimpl.py, getactualdbstatus function in trove/guestagent/datastore/experimental/cassandra/system.py and trove/guestagent/datastore/experimental/cassandra/service.py, and multiple class CbBackup methods in trove/guestagent/strategies/backup/experimental/couchbase_impl.py in Openstack DBaaS (aka Trove) as packaged in Openstack before 2015.1.0 (aka Kilo) allows local users to write to configuration files via a symlink attack on a temporary file.
- References
-
- https://bugs.launchpad.net/trove/+bug/1398195
- https://bugzilla.redhat.com/show_bug.cgi?id=1216073
- https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/cassandra/service.py#L230
- https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/mongodb/service.py#L176
- https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/redis/service.py#L236
- https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/mysql/service.py#L790
- https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/experimental/couchbase_impl.py#L30
- https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/mysql_impl.py#L110
- https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/mysql_impl.py#L36
- https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/mysql_impl.py#L55
- https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/restore/mysql_impl.py#L194
- https://security-tracker.debian.org/tracker/CVE-2015-3156
Affected packages
Debian:12 / openstack-trove
Package
- Name
- openstack-trove
- Purl
- pkg:deb/debian/openstack-trove?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1:18.*
1:19.*
1:20.*
1:21.*
1:22.*
1:23.*
Debian:13 / openstack-trove
Package
- Name
- openstack-trove
- Purl
- pkg:deb/debian/openstack-trove?arch=source