4 results (0.002 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, write_config function in trove/guestagent/datastore/experimental/redis/service.py, _write_mycnf function in trove/guestagent/datastore/mysql/service.py, InnoBackupEx::_run_prepare function in trove/guestagent/strategies/restore/mysql_impl.py, InnoBackupEx::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, MySQLDump::cmd in trove/guestagent/strategies/backup/mysql_impl.py, InnoBackupExIncremental::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, _get_actual_db_status function in trove/guestagent/datastore/experimental/cassandra/system.py and trove/guestagent/datastore/experimental/cassandra/service.py, and multiple class CbBackup methods in trove/guestagent/strategies/backup/experimental/couchbase_impl.py in Openstack DBaaS (aka Trove) as packaged in Openstack before 2015.1.0 (aka Kilo) allows local users to write to configuration files via a symlink attack on a temporary file. La función _write_config en trove/guestagent/datastore/experimental/mongodb/service.py, la función reset_configuration en trove/guestagent/datastore/experimental/postgresql/service/config.py, la función write_config en trove/guestagent/datastore/experimental/redis/service.py, la función _write_mycnf en trove/guestagent/datastore/mysql/service.py, la función InnoBackupEx::_run_prepare en trove/guestagent/strategies/restore/mysql_impl.py, la función InnoBackupEx::cmd en trove/guestagent/strategies/backup/mysql_impl.py, MySQLDump::cmd en trove/guestagent/strategies/backup/mysql_impl.py, la función InnoBackupExIncremental::cmd en trove/guestagent/strategies/backup/mysql_impl.py, la función _get_actual_db_status en trove/guestagent/datastore/experimental/cassandra/system.py y trove/guestagent/datastore/experimental/cassandra/service.py, y múltiples métodos de clase CbBackup en trove/guestagent/strategies/backup/experimental/couchbase_impl.py en Openstack DBaaS (también llamado Trove) tal y como está empaquetado en Openstack en versiones anteriores a la 2015.1.0 (también llamada Kilo) permite que usuarios locales escriban en archivos de configuración mediante un ataque symlink en un archivo temporal. • https://bugs.launchpad.net/trove/+bug/1398195 https://bugzilla.redhat.com/show_bug.cgi?id=1216073 https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/cassandra/service.py#L230 https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/mongodb/service.py#L176 https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/redis/service.py#L236 https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/mysql • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0

The trove service user in (1) Openstack deployment (aka crowbar-openstack) and (2) Trove Barclamp (aka barclamp-trove and crowbar-barclamp-trove) in the Crowbar Framework has a default password, which makes it easier for remote attackers to obtain access via unspecified vectors. El servicio de usuario de trove en (1) la implementación Openstack (también conocido como crowbar-openstack) y (2) Trove Barclamp (también conocido como barclamp-trove y crowbar-barclamp-trove) en el Crowbar Framework tiene una contraseña por defecto, lo que hace más fácil a atacantes remotos obtener acceso a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2016/08/16/1 http://www.openwall.com/lists/oss-security/2016/08/18/9 http://www.securityfocus.com/bid/92476 https://github.com/crowbar/barclamp-trove/commit/932298f250365fed6963700870e52db3a7a32daa https://github.com/crowbar/crowbar-openstack/commit/208230bdfbcb19d062149d083b1a66b429516a69 https://www.suse.com/security/cve//CVE-2016-6829.html • CWE-798: Use of Hard-coded Credentials •

CVSS: 2.1EPSS: 0%CPEs: 8EXPL: 0

The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log. La función processutils.execute en OpenStack oslo-incubator, Cinder, Nova, y Trove anterior a 2013.2.4 y 2014.1 anterior a 2014.1.3 permite a usuarios locales obtener contraseñas de comandos que causan un error de ejecución de proceso (ProcessExecutionError) mediante la lectura del registro. • http://rhn.redhat.com/errata/RHSA-2014-1939.html http://seclists.org/oss-sec/2014/q3/853 http://www.securityfocus.com/bid/70185 http://www.ubuntu.com/usn/USN-2405-1 https://bugs.launchpad.net/oslo-incubator/+bug/1343604 https://exchange.xforce.ibmcloud.com/vulnerabilities/96725 https://access.redhat.com/security/cve/CVE-2014-7230 https://bugzilla.redhat.com/show_bug.cgi?id=1147722 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •

CVSS: 2.1EPSS: 0%CPEs: 7EXPL: 1

The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log. La función strutils.mask_password en la libraría de utilidades de OpenStack Oslo, Cinder, Nova, y Trove anterior a 2013.2.4 y 2014.1 anterior a 2014.1.3 no enmasca debidamente contraseñas cuando registra comandos, lo que permite a usuarios locales obtener contraseñas mediante la lectura del registro. • http://rhn.redhat.com/errata/RHSA-2014-1939.html http://seclists.org/oss-sec/2014/q3/853 http://www.securityfocus.com/bid/70184 https://bugs.launchpad.net/oslo.utils/+bug/1345233 https://exchange.xforce.ibmcloud.com/vulnerabilities/96726 https://access.redhat.com/security/cve/CVE-2014-7231 https://bugzilla.redhat.com/show_bug.cgi?id=1147722 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •