{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-06-13T00:00:00", "descriptions": [{"lang": "en", "value": "The image build process for the overcloud images in Red Hat OpenStack Platform 8.0 (Liberty) director and Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) director (aka overcloud-full) use a default root password of ROOTPW, which allows attackers to gain access via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-06-30T15:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2016:1223", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://rhn.redhat.com/errata/RHSA-2016-1223.html"}, {"name": "RHSA-2016:1222", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1222.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://access.redhat.com/security/vulnerabilities/2359821"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:32:25.339Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2016:1223", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://rhn.redhat.com/errata/RHSA-2016-1223.html"}, {"name": "RHSA-2016:1222", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1222.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://access.redhat.com/security/vulnerabilities/2359821"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-4474", "datePublished": "2016-06-30T16:00:00", "dateReserved": "2016-05-02T00:00:00", "dateUpdated": "2024-08-06T00:32:25.339Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9DAA72A4-AC7D-4544-89D4-5B07961D5A95", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:*", "matchCriteriaId": "E8B8C725-34CF-4340-BE7B-37E58CF706D6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The image build process for the overcloud images in Red Hat OpenStack Platform 8.0 (Liberty) director and Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) director (aka overcloud-full) use a default root password of ROOTPW, which allows attackers to gain access via unspecified vectors."}, {"lang": "es", "value": "El proceso de construcci\u00f3n de imagen de las im\u00e1genes de overcloud en Red Hat OpenStack Platform 8.0 (Liberty) director y Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) director (tambi\u00e9n conocido como overcloud-full) utilizan una contrase\u00f1a de root por defecto de ROOTPW, lo que permite a atacantes obtener acceso a trav\u00e9s de vectores no especificados."}], "id": "CVE-2016-4474", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-06-30T16:59:03.463", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1222.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/vulnerabilities/2359821"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://rhn.redhat.com/errata/RHSA-2016-1223.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1222.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/vulnerabilities/2359821"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://rhn.redhat.com/errata/RHSA-2016-1223.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank David Patterson (Dell) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2016:1223", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "overcloud-full", "product_name": "OpenStack 7.0 Director for RHEL 7", "release_date": "2016-06-13T00:00:00Z"}, {"advisory": "RHSA-2016:1222", "cpe": "cpe:/a:redhat:openstack-director:8::el7", "package": "rhosp-director-images-0:8.0-20160603.2.el7ost", "product_name": "Red Hat OpenStack Platform 8.0 (Liberty) director", "release_date": "2016-06-13T00:00:00Z"}], "bugzilla": {"description": "overcloud-full: Default root password set", "id": "1342412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1342412"}, "csaw": true, "cvss": {"cvss_base_score": "7.4", "cvss_scoring_vector": "AV:A/AC:M/Au:S/C:C/I:C/A:C", "status": "verified"}, "details": ["The image build process for the overcloud images in Red Hat OpenStack Platform 8.0 (Liberty) director and Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) director (aka overcloud-full) use a default root password of ROOTPW, which allows attackers to gain access via unspecified vectors.", "An issue was discovered in the image build process for the overcloud images, as used by director, resulting in all previous images to have a default root password of \"rootpw\". Remote root access via SSH is disabled by default."], "name": "CVE-2016-4474", "package_state": [{"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Affected", "package_name": "overcloud-full", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2016-06-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-4474\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4474"], "threat_severity": "Important"}