Vulnerability-Lookup

CVE-2017-12155 (GCVE-0-2017-12155)

Vulnerability from cvelistv5 – Published: 2017-12-12 20:00 – Updated: 2024-09-16 17:22

Summary

A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.

Severity ?

No CVSS data available.

CWE

Incorrect Permission Assignment for Critical Resource

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2018:1593	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:1627	vendor-advisoryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=1489360	x_refsource_CONFIRM
	https://bugs.launchpad.net/tripleo/+bug/1720787	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2018:0602	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	OpenStack	openstack-tripleo-heat-templates	Affected: Newton, Ocata, Pike and possibly older

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:28:16.604Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2018:1593",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1593"
          },
          {
            "name": "RHSA-2018:1627",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1627"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
          },
          {
            "name": "RHSA-2018:0602",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0602"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openstack-tripleo-heat-templates",
          "vendor": "OpenStack",
          "versions": [
            {
              "status": "affected",
              "version": "Newton, Ocata, Pike and possibly older"
            }
          ]
        }
      ],
      "datePublic": "2017-09-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-19T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2018:1593",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1593"
        },
        {
          "name": "RHSA-2018:1627",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1627"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
        },
        {
          "name": "RHSA-2018:0602",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0602"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "DATE_PUBLIC": "2017-09-20T00:00:00",
          "ID": "CVE-2017-12155",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "openstack-tripleo-heat-templates",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Newton, Ocata, Pike and possibly older"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OpenStack"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Incorrect Permission Assignment for Critical Resource"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2018:1593",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1593"
            },
            {
              "name": "RHSA-2018:1627",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1627"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
            },
            {
              "name": "https://bugs.launchpad.net/tripleo/+bug/1720787",
              "refsource": "CONFIRM",
              "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
            },
            {
              "name": "RHSA-2018:0602",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0602"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2017-12155",
    "datePublished": "2017-12-12T20:00:00.000Z",
    "dateReserved": "2017-08-01T00:00:00.000Z",
    "dateUpdated": "2024-09-16T17:22:48.181Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-W8GX-HHCX-PX6W

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2023-10-10 15:43

Summary

Openstack tripleo-heat-templates unauthenticated file access

Details

A resource-permission flaw was found in the tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. This has been patched in versions 7.0.6 and 8.0.0.

Severity ?

6.3 (Medium)


                  
                    CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tripleo-heat-templates"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-12155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-26T19:02:59Z",
    "nvd_published_at": "2017-12-12T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A resource-permission flaw was found in the `tripleo-heat-templates` package where `ceph.client.openstack.keyring` is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. This has been patched in versions [7.0.6](https://github.com/openstack/tripleo-heat-templates/commit/a18fd59077d97de83496c85c017b9d256a3eddd4) and [8.0.0](https://github.com/openstack/tripleo-heat-templates/commit/ce7b65f443d38a6627631f53cb22336338e97d30).",
  "id": "GHSA-w8gx-hhcx-px6w",
  "modified": "2023-10-10T15:43:09Z",
  "published": "2022-05-13T01:42:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12155"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0602"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1593"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1627"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/tripleo-heat-templates"
    },
    {
      "type": "WEB",
      "url": "https://opendev.org/openstack/tripleo-heat-templates/commit/a18fd59077d97de83496c85c017b9d256a3eddd4"
    },
    {
      "type": "WEB",
      "url": "https://opendev.org/openstack/tripleo-heat-templates/commit/ce7b65f443d38a6627631f53cb22336338e97d30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Openstack tripleo-heat-templates unauthenticated file access"
}

GSD-2017-12155

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-12155

Aliases

CVE-2017-12155

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-12155",
    "description": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.",
    "id": "GSD-2017-12155",
    "references": [
      "https://access.redhat.com/errata/RHSA-2018:1627",
      "https://access.redhat.com/errata/RHSA-2018:1593",
      "https://access.redhat.com/errata/RHSA-2018:0602"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-12155"
      ],
      "details": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.",
      "id": "GSD-2017-12155",
      "modified": "2023-12-13T01:21:03.773211Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "DATE_PUBLIC": "2017-09-20T00:00:00",
        "ID": "CVE-2017-12155",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "openstack-tripleo-heat-templates",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Newton, Ocata, Pike and possibly older"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "OpenStack"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Incorrect Permission Assignment for Critical Resource"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "RHSA-2018:1593",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:1593"
          },
          {
            "name": "RHSA-2018:1627",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:1627"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
          },
          {
            "name": "https://bugs.launchpad.net/tripleo/+bug/1720787",
            "refsource": "CONFIRM",
            "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
          },
          {
            "name": "RHSA-2018:0602",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:0602"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=7.4.7",
          "affected_versions": "All versions up to 7.4.7",
          "cvss_v2": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-306",
            "CWE-937"
          ],
          "date": "2023-07-26",
          "description": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.",
          "fixed_versions": [],
          "identifier": "CVE-2017-12155",
          "identifiers": [
            "GHSA-w8gx-hhcx-px6w",
            "CVE-2017-12155"
          ],
          "not_impacted": "",
          "package_slug": "pypi/tripleo-heat-templates",
          "pubdate": "2022-05-13",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Missing Authentication for Critical Function",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-12155",
            "https://access.redhat.com/errata/RHSA-2018:0602",
            "https://access.redhat.com/errata/RHSA-2018:1593",
            "https://access.redhat.com/errata/RHSA-2018:1627",
            "https://bugs.launchpad.net/tripleo/+bug/1720787",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1489360",
            "https://github.com/advisories/GHSA-w8gx-hhcx-px6w"
          ],
          "uuid": "2e25d84d-d2a6-4662-b3e9-4ff1b09f36c3"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:ceph:ceph:-:*:*:*:*:openstack:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2017-12155"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-306"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Mitigation"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
            },
            {
              "name": "https://bugs.launchpad.net/tripleo/+bug/1720787",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Patch"
              ],
              "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
            },
            {
              "name": "RHSA-2018:0602",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2018:0602"
            },
            {
              "name": "RHSA-2018:1627",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2018:1627"
            },
            {
              "name": "RHSA-2018:1593",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2018:1593"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.4,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 1.0,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2019-10-03T00:03Z",
      "publishedDate": "2017-12-12T20:29Z"
    }
  }
}

CNVD-2018-00667

Vulnerability from cnvd - Published: 2018-01-10

Title

openstack-tripleo-heat-templates包信息泄露漏洞

Description

openstack-tripleo-heat-templates package是一套支持使用Openstack云设施对Openstack平台进行安装、升级等操作的通用模板软件包。 openstack-tripleo-heat-templates包中存在安全漏洞，该漏洞源于程序将ceph.client.openstack.keyring创建成全局可读取。本地攻击者可利用该漏洞读取或更改Ceph集群池上的数据。

Severity

低

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://www.openstack.org/

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=1489360

Impacted products

Name
OpenStack openstack-tripleo-heat-templates

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12155"
    }
  },
  "description": "openstack-tripleo-heat-templates package\u662f\u4e00\u5957\u652f\u6301\u4f7f\u7528Openstack\u4e91\u8bbe\u65bd\u5bf9Openstack\u5e73\u53f0\u8fdb\u884c\u5b89\u88c5\u3001\u5347\u7ea7\u7b49\u64cd\u4f5c\u7684\u901a\u7528\u6a21\u677f\u8f6f\u4ef6\u5305\u3002\r\n\r\nopenstack-tripleo-heat-templates\u5305\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5c06ceph.client.openstack.keyring\u521b\u5efa\u6210\u5168\u5c40\u53ef\u8bfb\u53d6\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u6216\u66f4\u6539Ceph\u96c6\u7fa4\u6c60\u4e0a\u7684\u6570\u636e\u3002",
  "discovererName": "Adam Mari\u0161",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.openstack.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-00667",
  "openTime": "2018-01-10",
  "products": {
    "product": "OpenStack openstack-tripleo-heat-templates"
  },
  "referenceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360",
  "serverity": "\u4f4e",
  "submitTime": "2017-12-14",
  "title": "openstack-tripleo-heat-templates\u5305\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

FKIE_CVE-2017-12155

Vulnerability from fkie_nvd - Published: 2017-12-12 20:29 - Updated: 2025-04-20 01:37

Severity ?

6.3 (Medium) - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2018:0602
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2018:1593
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2018:1627
secalert@redhat.com	https://bugs.launchpad.net/tripleo/+bug/1720787	Issue Tracking, Patch
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1489360	Issue Tracking, Mitigation
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:0602
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:1593
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:1627
af854a3a-2127-422b-91ae-364da2661108	https://bugs.launchpad.net/tripleo/+bug/1720787	Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1489360	Issue Tracking, Mitigation

Impacted products

	Vendor	Product	Version
	ceph	ceph	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ceph:ceph:-:*:*:*:*:openstack:*:*",
              "matchCriteriaId": "5CF5A09E-C354-401D-8415-B6BA994C857E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 una vulnerabilidad de permisos de recursos en el paquete openstack-tripleo-heat-templates donde se crea ceph.client.openstack.keyring con el permiso world-readable. Un atacante local con acceso a la clave podr\u00eda leer o modificar datos en los pools de memoria del cl\u00faster de Cepth para OpenStack como si el atacante fuera el servicio OpenStack, pudiendo leer o modificar datos en un volumen de OpenStack Block Storage."
    }
  ],
  "id": "CVE-2017-12155",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-12-12T20:29:00.227",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2018:0602"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2018:1593"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2018:1627"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Mitigation"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2018:0602"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2018:1593"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2018:1627"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mitigation"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-12155 (GCVE-0-2017-12155)

GHSA-W8GX-HHCX-PX6W

GSD-2017-12155

CNVD-2018-00667

FKIE_CVE-2017-12155

Tags

Sightings

Nomenclature