CVE-2016-9590
An information-disclosure flaw was discovered in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions.
Find out more about CVE-2016-9590 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 6.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat OpenStack Platform 10 (puppet-swift) | RHSA-2017:0200 | 2017-01-26 |
| Red Hat OpenStack Platform 9.0 (openstack-puppet-modules) | RHSA-2017:0359 | 2017-03-01 |
| Red Hat OpenStack Platform 8.0 (Liberty) (openstack-puppet-modules) | RHSA-2017:0361 | 2017-03-01 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 11.0 (Ocata) | puppet-swift | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | openstack-puppet-modules | Not affected |