CVE-2017-12155

{"id": "CVE-2017-12155", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.0}]}, "published": "2017-12-12T20:29:00.227", "references": [{"url": "https://access.redhat.com/errata/RHSA-2018:0602", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2018:1593", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2018:1627", "source": "secalert@redhat.com"}, {"url": "https://bugs.launchpad.net/tripleo/+bug/1720787", "tags": ["Issue Tracking", "Patch"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360", "tags": ["Issue Tracking", "Mitigation"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad de permisos de recursos en el paquete openstack-tripleo-heat-templates donde se crea ceph.client.openstack.keyring con el permiso world-readable. Un atacante local con acceso a la clave podr\u00eda leer o modificar datos en los pools de memoria del cl\u00faster de Cepth para OpenStack como si el atacante fuera el servicio OpenStack, pudiendo leer o modificar datos en un volumen de OpenStack Block Storage."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ceph:ceph:-:*:*:*:*:openstack:*:*", "vulnerable": true, "matchCriteriaId": "5CF5A09E-C354-401D-8415-B6BA994C857E"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}