CVE-2016-9599 — Improper Access Control in Puppet-tripleo

CWE-284 — Improper Access Control6 documents5 sources

Severity

7.5HIGHNVD

CNA7.1

EPSS

0.2%

top 60.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Puppet-tripleo Redhat Openstack

Timeline

PublishedApr 24

Latest updateMay 13

Description

puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these open ports to gain access to unauthorized resources.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDopenstack/puppet-tripleo5.5.0, 6.2.0+1

▶NVDredhat/openstack10

🔴Vulnerability Details

GHSA

GHSA-f29f-jrc4-qmh5: puppet-tripleo before versions 5↗2022-05-13

▶

CVEList

CVE-2016-9599: puppet-tripleo before versions 5↗2018-04-23

▶

📋Vendor Advisories

Red Hat

puppet-tripleo: if ssl is enabled, traffic is open on both undercloud and overcloud↗2016-12-22

▶

💬Community

Bugzilla

CVE-2016-9599 puppet-tripleo: if ssl is enabled, traffic is open on both undercloud and overcloud↗2017-01-03

▶

Bugzilla

CVE-2016-9599 puppet-tripleo:if ssl is enabled, traffic is open on both undercloud and overcloud [openstack-rdo]↗2017-01-03

▶