CVE-2017-15103

Impact:
Important
Public Date:
2017-12-18
CWE:
CWE-78
Bugzilla:
1510147: CVE-2017-15103 heketi: OS command injection in heketi API
A security-check flaw was found in the way the Heketi server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation.

Find out more about CVE-2017-15103 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 8.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Gluster Storage Server 3.3 on RHEL-7 (heketi) RHSA-2017:3481 2017-12-18

Acknowledgements

Red Hat would like to thank Markus Krell (NTT Security) for reporting this issue.
Last Modified