PYSEC-2026-645

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/instack-undercloud/PYSEC-2026-645.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-645
Aliases
Published
2026-07-02T14:13:22.649014Z
Modified
2026-07-06T08:11:25.423894871Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
instack-undercloud vulnerable to symlink attack on tmp files
Details

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

References

Affected packages

PyPI / instack-undercloud

Package

Name
instack-undercloud
View open source insights on deps.dev
Purl
pkg:pypi/instack-undercloud

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
7.2.0

Affected versions

4.*
4.0.1.dev90
4.1.0
4.2.0
4.2.1
5.*
5.0.0.0b1
5.0.0.0b2
5.0.0.0b3
5.0.0.0rc1
5.0.0.0rc2
5.0.0.0rc3
5.0.0
5.1.0
5.2.0
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
6.*
6.0.0.0b2
6.0.0.0rc1
6.0.0.0rc2
6.0.0
6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
7.*
7.0.0.0b1
7.0.0
7.1.0
7.2.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/instack-undercloud/PYSEC-2026-645.yaml"