CVE-2018-17954 vulnerability in Suse Products
Published on April 3, 2020
crowbar provision leaks admin password to all nodes in cleartext
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE OpenStack Cloud 7 crowbar-core versions prior to 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-. SUSE OpenStack Cloud 8 ardana-cinder versions prior to 8.0+git.1579279939.ee7da88-3.39.3, ardana-. SUSE OpenStack Cloud 9 ardana-ansible versions prior to 9.0+git.1581611758.f694f7d-3.16.1, ardana-. SUSE OpenStack Cloud Crowbar 8 crowbar-core versions prior to 5.0+git.1582968668.1a55c77c5-3.35.4, crowbar-. SUSE OpenStack Cloud Crowbar 9 crowbar-core versions prior to 6.0+git.1582892022.cbd70e833-3.19.3, crowbar-.
Vulnerability Analysis
CVE-2018-17954 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2018-17954
stack.watch emails you whenever new vulnerabilities are published in Suse Openstack Cloud or Suse Openstack Cloud Crowbar. Just hit a watch button to start following.
Affected Versions
SUSE OpenStack Cloud 7:- Version crowbar-core and below 4.0+git.1578392992.fabfd186c-9.63.1, crowbar- is affected.
- Version ardana-cinder and below 8.0+git.1579279939.ee7da88-3.39.3, ardana- is affected.
- Version ardana-ansible and below 9.0+git.1581611758.f694f7d-3.16.1, ardana- is affected.
- Version crowbar-core and below 5.0+git.1582968668.1a55c77c5-3.35.4, crowbar- is affected.
- Version crowbar-core and below 6.0+git.1582892022.cbd70e833-3.19.3, crowbar- is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.