CVE-2016-3112

Опубликовано: 13 апр. 2016

Источник: redhat

CVSS2: 2.1

EPSS Низкий

Описание

client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading /etc/pki/pulp/consumer/consumer-cert, and authenticating as a consumer user.

It was found that the private key for the agent certificate was contained in a world-readable file. A local user could possibly use this flaw to gain access to the private key information in the file.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
RHUI for RHEL 6	pulp	Will not fix
Red Hat Satellite 6.2 for RHEL 6	candlepin	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	foreman	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	foreman-installer	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	foreman-proxy	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	foreman-selinux	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	gofer	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	katello	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	katello-agent	Fixed	RHBA-2016:1501	27.07.2016
Red Hat Satellite 6.2 for RHEL 6	katello-certs-tools	Fixed	RHBA-2016:1501	27.07.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-732

https://bugzilla.redhat.com/show_bug.cgi?id=1326242pulp: Agent certificate containing private key is stored in world-readable file

EPSS

Процентиль: 61%

0.00421

Низкий

2.1 Low

CVSS2

Связанные уязвимости

CVE-2016-3112

CVSS3: 7.5

nvd

больше 8 лет назад

GHSA-3j4c-jhfg-648f