CVE-2017-2627

Published: Aug 22, 2018Modified: Nov 21, 2024

8.2

Vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 1.5 / Impact: 6.0

Source: NVD

Description

A flaw was found in openstack-tripleo-common as shipped with Red Hat Openstack Enterprise 10 and 11. The sudoers file as installed with OSP's openstack-tripleo-common package is much too permissive. It contains several lines for the mistral user that have wildcards that allow directory traversal with '..' and it grants full passwordless root access to the validations user.

Affected (3)

Products: Redhat: Openstack · Openstack: Tripleo Common

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Openstack	Version 10
Redhat Openstack	Version 11

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Openstack Tripleo Common	All versions

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2627

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2627

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.