CVE-2016-9599
HIGHpuppet-tripleo - Improper Access Control via IPtables Rules with Empty Port Values
Title source: llmDescription
puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these open ports to gain access to unauthorized resources.
References (2)
Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9599
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0025.html
Scores
CVSS v3
7.1
EPSS
0.0018
EPSS Percentile
39.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Details
CWE
CWE-284
Status
published
Products (3)
openstack/puppet-tripleo
5.5.0
openstack/puppet-tripleo
6.2.0
redhat/openstack
10
Published
Apr 24, 2018
Tracked Since
Feb 18, 2026