CVE-2017-12440

Description

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.

How to fix CVE-2017-12440

To remediate CVE-2017-12440, upgrade the affected package to a fixed version below.

• —upgrade to 5.0.0-2 or later
• —upgrade to 3.0.0-4+deb9u1 or later
• —upgrade to 6.0.1 or later

Is CVE-2017-12440 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 5.0.0-2
• from 0, < 3.0.0-4+deb9u1
• from 0, < 6.0.1

CVSS scores

References (12)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-12440
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-12440
• WEBaccess.redhat.com/errata/RHSA-2017:3227
• WEBaccess.redhat.com/errata/RHSA-2018:0315
• WEB