VDB
KO
MEDIUM 5.5

PYSEC-2026-1053

Openstack DBaaS (Trove) Improper Link Resolution Before File Access

Details

The `_write_config` function in `trove/guestagent/datastore/experimental/mongodb/service.py`, `reset_configuration` function in `trove/guestagent/datastore/experimental/postgresql/service/config.py`, `write_config` function in `trove/guestagent/datastore/experimental/redis/service.py`, `_write_mycnf` function in `trove/guestagent/datastore/mysql/service.py`, `InnoBackupEx::_run_prepare` function in `trove/guestagent/strategies/restore/mysql_impl.py`, `InnoBackupEx::cmd` function in `trove/guestagent/strategies/backup/mysql_impl.py`,`MySQLDump::cmd` in `trove/guestagent/strategies/backup/mysql_impl.py`, `InnoBackupExIncremental::cmd` function in `trove/guestagent/strategies/backup/mysql_impl.py`, `_get_actual_db_status` function in `trove/guestagent/datastore/experimental/cassandra/system.py` and `trove/guestagent/datastore/experimental/cassandra/service.py`, and multiple class CbBackup methods in `trove/guestagent/strategies/backup/experimental/couchbase_impl.py` in Openstack DBaaS (aka Trove) as packaged in Openstack before 2015.1.0 (aka Kilo) allows local users to write to configuration files via a symlink attack on a temporary file.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / trove
Introduced in: 0 Fixed in: 4.0.0a0
Fix pip install --upgrade 'trove>=4.0.0a0'

References