VYPR
← All advisories
Medium severity4.9NVD Advisory· Published Apr 22, 2024· Updated Apr 15, 2026

CVE-2024-28717

CVE-2024-28717

Description

An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
storletsPyPI
< 13.0.0.0rc113.0.0.0rc1

Patches

1
5ad58804af88

Restrict access to local storlet/dependency files

https://github.com/openstack/storletsTakashi KajinamiJan 20, 2024via ghsa
commit
1 file changed · +8 7
  • storlets/gateway/gateways/docker/gateway.py+8 7 modified
    @@ -279,7 +279,7 @@ def bring_from_cache(self, obj_name, sreq, is_storlet):
             get_func = sreq.file_manager.get_dependency
 
         if not os.path.exists(cache_dir):
-            os.makedirs(cache_dir, 0o755)
+            os.makedirs(cache_dir, 0o700)
 
         # cache_target_path is the actual object we need to deal with
         # e.g. a concrete storlet or dependency we need to bring/update
@@ -312,16 +312,17 @@ def bring_from_cache(self, obj_name, sreq, is_storlet):
             # bring the object from storge
             data_iter, perm = get_func(obj_name)
 
+            if perm:
+                perm = int(perm, 8) & 0o700
+            else:
+                perm = 0o600
+
             # TODO(takashi): Do not directly write to target path
             with open(cache_target_path, 'wb') as fn:
+                os.chmod(cache_target_path, perm)
                 for data in data_iter:
                     fn.write(data)
 
-            if not is_storlet:
-                if not perm:
-                    perm = '0600'
-                os.chmod(cache_target_path, int(perm, 8))
-
         # The node's local cache is now updated.
         # We now verify if we need to update the
         # Docker container itself.
@@ -334,7 +335,7 @@ def bring_from_cache(self, obj_name, sreq, is_storlet):
         docker_target_path = os.path.join(docker_storlet_path, obj_name)
 
         if not os.path.exists(docker_storlet_path):
-            os.makedirs(docker_storlet_path, 0o755)
+            os.makedirs(docker_storlet_path, 0o700)
             update_docker = True
         elif not os.path.isfile(docker_target_path):
             update_docker = True

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.