CVE-2017-10689

Impact:
Low
Public Date:
2017-08-28
CWE:
CWE-284
Bugzilla:
1542850: CVE-2017-10689 puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions

The MITRE CVE dictionary describes this issue as:

In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.

Find out more about CVE-2017-10689 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat Product Security has rated this issue as having security impact of Low. This issue affects the versions of puppet as shipped with:
* Red Hat Satellite 6. A future update may address this issue.
* Red Hat OpenStack Platform versions 6-12. Although the affected code is present in shipped packages, the affected code can only be exploited by deploying unsupported custom puppet modules. This issue is not currently planned to be addressed in future updates.

For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

CVSS v3 metrics

CVSS3 Base Score 2.8
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Impact Low
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat Satellite 6.4 for RHEL 7 RHSA-2018:2927 2018-10-16
Red Hat Satellite 6.4 for RHEL 7 RHSA-2018:2927 2018-10-16

Affected Packages State

Platform Package State
Red Hat Satellite 6 puppet Will not fix
Red Hat OpenStack Platform 9.0 puppet Will not fix
Red Hat OpenStack Platform 8.0 (Liberty) puppet Will not fix
Red Hat OpenStack Platform 13.0 (Queens) puppet Will not fix
Red Hat OpenStack Platform 12.0 puppet Will not fix
Red Hat OpenStack Platform 11.0 (Ocata) puppet Will not fix
Red Hat OpenStack Platform 10 puppet Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 puppet Will not fix
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 puppet Will not fix

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.