fkie_cve-2016-3111
Vulnerability from fkie_nvd
Published
2017-06-08 18:29
Modified
2025-04-20 01:37
Severity ?
5.5 (Medium) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running.
References
secalert@redhat.comhttp://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n317Issue Tracking, Patch, Third Party Advisory
secalert@redhat.comhttp://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n620Issue Tracking, Patch, Third Party Advisory
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2016/05/20/1Mailing List, Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHBA-2016:1501
secalert@redhat.comhttps://bugzilla.redhat.com/attachment.cgi?id=1146522Issue Tracking
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1326251Issue Tracking, Patch
secalert@redhat.comhttps://github.com/pulp/pulp/blob/master/pulp.spec#L473-L486Issue Tracking, Patch, Third Party Advisory
secalert@redhat.comhttps://github.com/pulp/pulp/blob/master/pulp.spec#L894-L903Issue Tracking, Patch, Third Party Advisory
secalert@redhat.comhttps://pulp.plan.io/issues/1837Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n317Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n620Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2016/05/20/1Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHBA-2016:1501
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/attachment.cgi?id=1146522Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1326251Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/pulp/pulp/blob/master/pulp.spec#L473-L486Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/pulp/pulp/blob/master/pulp.spec#L894-L903Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://pulp.plan.io/issues/1837Patch, Vendor Advisory
Impacted products
Vendor Product Version
pulpproject pulp *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pulpproject:pulp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9B1AA4C-9AC9-4D67-94C5-59CBB75A811F",
              "versionEndIncluding": "2.8.2-1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running."
    },
    {
      "lang": "es",
      "value": "pulp.spec en el proceso de instalaci\u00f3n para Pulp 2.8.3 genera pares de claves RSA empleadas para validar mensajes entre el servidor pulp y los usuarios de pulp en un directorio que puede ser le\u00eddo por cualquier usuario antes de modificar los permisos. Esto puede permitir que los usuarios locales lean las claves RSA generadas mediante la lectura de archivos de claves mientras se est\u00e1 ejecutando el proceso de instalaci\u00f3n."
    }
  ],
  "id": "CVE-2016-3111",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-06-08T18:29:00.357",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n317"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n620"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2016/05/20/1"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHBA-2016:1501"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/attachment.cgi?id=1146522"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1326251"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pulp/pulp/blob/master/pulp.spec#L473-L486"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pulp/pulp/blob/master/pulp.spec#L894-L903"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://pulp.plan.io/issues/1837"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n317"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n620"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2016/05/20/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHBA-2016:1501"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/attachment.cgi?id=1146522"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1326251"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pulp/pulp/blob/master/pulp.spec#L473-L486"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pulp/pulp/blob/master/pulp.spec#L894-L903"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://pulp.plan.io/issues/1837"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.