{"containers": {"cna": {"affected": [{"product": "puppet-swift", "vendor": "unspecified", "versions": [{"status": "affected", "version": "puppet-swift 8.2.1"}, {"status": "affected", "version": " puppet-swift 9.4.4"}]}], "datePublic": "2017-01-12T00:00:00", "descriptions": [{"lang": "en", "value": "puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-04-27T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2017:0359", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0359.html"}, {"name": "95448", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95448"}, {"name": "RHSA-2017:0361", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0361.html"}, {"name": "RHSA-2017:0200", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0200.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9590"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2016-9590", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "puppet-swift", "version": {"version_data": [{"version_value": "puppet-swift 8.2.1"}, {"version_value": " puppet-swift 9.4.4"}]}}]}, "vendor_name": ""}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions."}]}, "impact": {"cvss": [[{"vectorString": "6.5/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:0359", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0359.html"}, {"name": "95448", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95448"}, {"name": "RHSA-2017:0361", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0361.html"}, {"name": "RHSA-2017:0200", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0200.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9590", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9590"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:59:02.247Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:0359", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0359.html"}, {"name": "95448", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95448"}, {"name": "RHSA-2017:0361", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0361.html"}, {"name": "RHSA-2017:0200", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0200.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9590"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-9590", "datePublished": "2018-04-26T17:00:00", "dateReserved": "2016-11-23T00:00:00", "dateUpdated": "2024-08-06T02:59:02.247Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:puppet-swift:*:*:*:*:*:*:*:*", "matchCriteriaId": "919E797E-8C9A-412E-9D18-5FFB67C91AC9", "versionEndExcluding": "8.2.1", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:puppet-swift:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4A2F796-92EF-4F8A-8A14-633EBB426935", "versionEndExcluding": "9.4.4", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:*", "matchCriteriaId": "E8B8C725-34CF-4340-BE7B-37E58CF706D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*", "matchCriteriaId": "F40C26BE-56CB-4022-A1D8-3CA0A8F87F4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", "matchCriteriaId": "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions."}, {"lang": "es", "value": "puppet-swift en versiones anteriores a la 8.2.1 y 9.4.4 es vulnerable a la divulgaci\u00f3n de informaci\u00f3n en la instalaci\u00f3n de Object Storage (swift) de Red Hat OpenStack Platform director. Durante la instalaci\u00f3n, el script Puppet responsable de desplegar el servicio elimina y recrea incorrectamente el archivo proxy-server.conf con permisos de lectura globales."}], "id": "CVE-2016-9590", "lastModified": "2024-11-21T03:01:28.040", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-04-26T17:29:00.230", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0200.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0359.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0361.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95448"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9590"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0200.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0359.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0361.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95448"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9590"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Hans Feldt (Ericsson) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2017:0200", "cpe": "cpe:/a:redhat:openstack:10::el7", "package": "puppet-swift-0:9.4.3-3.el7ost", "product_name": "Red Hat OpenStack Platform 10.0 (Newton)", "release_date": "2017-01-26T00:00:00Z"}, {"advisory": "RHSA-2017:0361", "cpe": "cpe:/a:redhat:openstack:8::el7", "package": "openstack-puppet-modules-1:7.1.5-2.el7ost", "product_name": "Red Hat OpenStack Platform 8.0 (Liberty)", "release_date": "2017-03-01T00:00:00Z"}, {"advisory": "RHSA-2017:0359", "cpe": "cpe:/a:redhat:openstack:9::el7", "package": "openstack-puppet-modules-1:8.1.10-2.el7ost", "product_name": "Red Hat OpenStack Platform 9.0 (Mitaka)", "release_date": "2017-03-01T00:00:00Z"}], "bugzilla": {"description": "puppet-swift: installs config file with world readable permissions", "id": "1410293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1410293"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions.", "An information-disclosure flaw was discovered in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions."], "name": "CVE-2016-9590", "package_state": [{"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Not affected", "package_name": "openstack-puppet-modules", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Not affected", "package_name": "puppet-swift", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}], "public_date": "2017-01-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-9590\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-9590"], "threat_severity": "Moderate", "upstream_fix": "puppet-swift 8.2.1, puppet-swift 9.4.4"}