CVE-2016-9590 — Sensitive Information Exposure in Puppet-swift

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 48.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Puppet-swift Redhat Openstack

Timeline

PublishedApr 26

Latest updateMay 13

Description

puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDopenstack/puppet-swift8.0.0 — 8.2.1+1

▶NVDredhat/openstack10, 8, 9+2

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-7q5j-cmrw-cmmc: puppet-swift before versions 8↗2022-05-13

▶

OSV

CVE-2016-9590: puppet-swift before versions 8↗2018-04-26

▶

CVEList

CVE-2016-9590: puppet-swift before versions 8↗2018-04-26

▶

📋Vendor Advisories

Red Hat

puppet-swift: installs config file with world readable permissions↗2017-01-12

▶

Debian

CVE-2016-9590: puppet-module-swift - puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclo...↗2016

▶

💬Community

Bugzilla

CVE-2016-9590 puppet-swift: installs config file with world readable permissions [openstack-rdo]↗2017-01-12

▶

Bugzilla

CVE-2016-9590 puppet-swift: installs config file with world readable permissions↗2017-01-05

▶