Описание
The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.
It was found that the private key for the node certificate was contained in a world-readable temporary file. A local user could possibly use this flaw to gain access to the private key information in the temporary file.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| RHUI for RHEL 6 | pulp | Will not fix | ||
| Red Hat Satellite 6.2 for RHEL 6 | candlepin | Fixed | RHBA-2016:1501 | 27.07.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | foreman | Fixed | RHBA-2016:1501 | 27.07.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | foreman-installer | Fixed | RHBA-2016:1501 | 27.07.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | foreman-proxy | Fixed | RHBA-2016:1501 | 27.07.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | foreman-selinux | Fixed | RHBA-2016:1501 | 27.07.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | gofer | Fixed | RHBA-2016:1501 | 27.07.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | katello | Fixed | RHBA-2016:1501 | 27.07.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | katello-agent | Fixed | RHBA-2016:1501 | 27.07.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | katello-certs-tools | Fixed | RHBA-2016:1501 | 27.07.2016 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-377
https://bugzilla.redhat.com/show_bug.cgi?id=1325934pulp: Insecure temporary file used when generating certificate for Pulp Nodes
EPSS
Процентиль: 12%
0.00041
Низкий
4.7 Medium
CVSS2
Связанные уязвимости
CVSS3: 7.1
nvd
больше 8 лет назад
The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.
CVSS3: 7.1
github
больше 3 лет назад
The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.
EPSS
Процентиль: 12%
0.00041
Низкий
4.7 Medium
CVSS2