Insufficient Granularity of Access Control Affecting tripleo-ansible package, versions <0:3.3.1-17.1.20231101230831.el9ost


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL8-TRIPLEOANSIBLE-6446103
  • published15 Mar 2024
  • disclosed15 Mar 2024

Introduced: 15 Mar 2024

CVE-2023-6725  (opens in a new tab)
CWE-1220  (opens in a new tab)

How to fix?

Upgrade RHEL:8 tripleo-ansible to version 0:3.3.1-17.1.20231101230831.el9ost or higher.
This issue was patched in RHSA-2024:2736.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tripleo-ansible package and not the tripleo-ansible package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.

CVSS Base Scores

version 3.1