CVE-2016-3111 Information

Feb 14, 2021 cve

Description

pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions which might allow local users to read the generated RSA keys via reading the key files while the installation process is running.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.specn317 http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.specn620 http://www.openwall.com/lists/oss-security/2016/05/20/1 https://access.redhat.com/errata/RHBA-2016:1501 https://bugzilla.redhat.com/attachment.cgi?id=1146522 https://bugzilla.redhat.com/show_bug.cgi?id=1326251 https://github.com/pulp/pulp/blob/master/pulp.specL473-L486 https://github.com/pulp/pulp/blob/master/pulp.specL894-L903 https://pulp.plan.io/issues/1837

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.5

Share on: