CVE-2016-3111

Опубликовано: 13 апр. 2016

Источник: redhat

CVSS2: 1.9

EPSS Низкий

Описание

pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running.

It was found that the private RSA key was created in a directory that is world-readable for a small amount of time. A local user could possibly use this flaw to gain access to the private key information in the file.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
RHUI for RHEL 6	pulp	Will not fix
Red Hat Satellite 6.2 for RHEL 6	candlepin	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	foreman	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	foreman-installer	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	foreman-proxy	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	foreman-selinux	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	gofer	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	katello	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	katello-agent	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	katello-certs-tools	Fixed	RHBA-2016:1501	27.07.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-362

https://bugzilla.redhat.com/show_bug.cgi?id=1326251pulp: Race condition when generating RSA keys for authenticating messages between server and consumers

EPSS

Процентиль: 15%

0.00048

Низкий

1.9 Low

CVSS2

Связанные уязвимости

CVE-2016-3111

CVSS3: 5.5

nvd

больше 8 лет назад

GHSA-fgrp-5xv9-qv52