CVE-2017-7549

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

References

Affected packages

Git / github.com/openstack/instack-undercloud

Affected ranges

Type

GIT

Repo

https://github.com/openstack/instack-undercloud

Events

Introduced

Last affected

65e5dec70ef7d27b5a3f16803dac58500b480506

Introduced

Last affected

6790ae8b3d17e6a7aea2a7bf854763486d30c2a1

Introduced

Last affected

b3a7d23bfe5ad393400ac9a96ae66a628bdd43a7

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.2.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.1.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.3.0"
        }
    ]
}

Affected versions

1.*

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22

1.0.23

1.0.24

1.0.25

1.0.26

1.0.27

1.0.28

1.0.29

1.0.30

1.0.31

1.0.32

1.0.33

1.0.6

1.0.7

1.0.8

1.0.9

2.*

2.0.0

2.1.0

2.1.1

2.1.2

3.*

3.0.0

4.*

4.0.0

5.*

5.0.0

5.0.0.0b1

5.0.0.0b2

5.0.0.0b3

5.0.0.0rc1

5.0.0.0rc2

5.0.0.0rc3

5.1.0

5.2.0

5.3.0

6.*

6.0.0

6.0.0.0b2

6.0.0.0rc1

6.0.0.0rc2

6.1.0

7.*

7.0.0

7.0.0.0b1

7.1.0

7.2.0

Other

sprint4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7549.json"