Information disclosure in Red Hat OpenStack
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2013-0266 |
| CWE-ID | CWE-264 |
| Exploitation vector | Local |
| Public exploit | This vulnerability is being exploited in the wild. |
| Vulnerable software |
Red Hat OpenStack Server applications / Other server solutions |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU4536
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Green]
CVE-ID: CVE-2013-0266
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The weakness exists due to insecure permissions being set on the cinder.conf and api-paste.ini files. A local attacker can gain access to a world-readable log file and obtain sensitive information.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
Install update from vendor's website.
Red Hat OpenStack: All versions
CPE2.3 External linkshttps://bugzilla.redhat.com/show_bug.cgi?id=908581
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
