Описание
keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link.
It was discovered that keycloak-httpd-client-install uses a predictable log file name in /tmp. A local attacker could create a symbolic link to a sensitive location, possibly causing data corruption or denial of service.
Отчет
Red Hat Product Security has rated this issue as having security impact of Low. This issue may be fixed in a future version of Red Hat Enterprise Linux. OpenStack users please note, this issue is present in:
- Red Hat OpenStack Platform 9.0 (Mitaka)
- Red Hat OpenStack Platform 10.0 (Newton)
- Red Hat OpenStack Platform 11.0 (Ocata) If a fixed version of keycloak-httpd-client-install is made available in Red Hat Enterprise Linux, OpenStack customers should consume this package directly from the Red Hat Enterprise Linux channel (this occurs during normal updates).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenStack Platform 10 (Newton) | keycloak-httpd-client-install | Will not fix | ||
| Red Hat OpenStack Platform 11 (Ocata) | keycloak-httpd-client-install | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) | keycloak-httpd-client-install | Will not fix | ||
| Red Hat Enterprise Linux 7 | keycloak-httpd-client-install | Fixed | RHSA-2019:2137 | 06.08.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.9 Low
CVSS3
Связанные уязвимости
keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link.
keycloak-httpd-client-install versions before 0.8 insecurely creates t ...
keycloak-httpd-client-install symlink attack vulnerability
ELSA-2019-2137: keycloak-httpd-client-install security, bug fix, and enhancement update (LOW)
EPSS
3.9 Low
CVSS3