Описание
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
A path traversal flaw was found in the ISO repository plugin for pulp. An attacker, with access to a repository feeding pulp can carefully craft his repository to overwrite arbitrary files owned by the Apache webserver.
Отчет
Red Hat Enterprise Virtualization Hypervisor includes only selected components of pulp, which are not affected by this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Virtualization 4 | pulp | Not affected | ||
| Red Hat Satellite 6.5 for RHEL 7 | ansiblerole-insights-client | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | candlepin | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | createrepo_c | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-bootloaders-redhat | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-discovery-image | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-installer | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-proxy | Fixed | RHSA-2019:1222 | 14.05.2019 |
| Red Hat Satellite 6.5 for RHEL 7 | foreman-selinux | Fixed | RHSA-2019:1222 | 14.05.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS3
Связанные уязвимости
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
EPSS
6.8 Medium
CVSS3