CVE-2017-2621Files or Directories Accessible to External Parties in Heat

CWE-552Files or Directories Accessible to External PartiesCWE-532Log File Information Exposure8 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 78.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openstack HeatRED HAT Openstack-heatRedhat Openstack
Timeline
PublishedJul 27
Latest updateMay 3

Description

An access-control flaw was found in the OpenStack Orchestration (heat) service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

NVDopenstack/heat< 8.0.0
Ubuntuopenstack/heat< 2014.1.5-0ubuntu1+1
CVEListV5red_hat/openstack-heatopenstack-heat-6.1.0, openstack-heat-7.0.2, openstack-heat-8.0.0+2
NVDredhat/openstack10, 9+1

🔴Vulnerability Details

3
GHSA
GHSA-93f2-xp2g-gqxp: An access-control flaw was found in the OpenStack Orchestration (heat) service before 82022-05-03
OSV
CVE-2017-2621: An access-control flaw was found in the OpenStack Orchestration (heat) service before 82018-07-27
CVEList
CVE-2017-2621: An access-control flaw was found in the OpenStack Orchestration (heat) service before 82018-07-27

📋Vendor Advisories

2
Red Hat
openstack-heat: /var/log/heat/ is world readable2017-02-15
Debian
CVE-2017-2621: heat - An access-control flaw was found in the OpenStack Orchestration (heat) service b...2017

💬Community

2
Bugzilla
CVE-2017-2621 openstack-heat: /var/log/heat/ is world readable [openstack-rdo]2017-02-14
Bugzilla
CVE-2017-2621 openstack-heat: /var/log/heat/ is world readable2017-02-10
CVE-2017-2621 — Openstack Heat vulnerability | cvebase