11 results (0.027 seconds)

CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0

pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories. pulp en versiones 2.16.x y, posiblemente, anteriores, es vulnerable a un análisis de ruta incorrecto. Un usuario malicioso o un repositorio de feeds de ISO malicioso puede escribir en ubicaciones accesibles al usuario "apache". Esto podría conducir a la sobrescritura de contenido publicado en otros repositorios iso. • https://access.redhat.com/errata/RHSA-2019:1222 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10917 https://access.redhat.com/security/cve/CVE-2018-10917 https://bugzilla.redhat.com/show_bug.cgi?id=1598928 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets. En Pulp en versiones anteriores a la 2.16.2, los secretos se pasan a override_config al desencadenar una tarea y después se vuelven legibles para todos los usuarios con acceso de lectura al distribuidor/importador. Un atacante con acceso a la API puede visualizar estos secretos. In pulp, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. • https://access.redhat.com/errata/RHSA-2018:2927 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1090 https://pulp.plan.io/issues/3521 https://access.redhat.com/security/cve/CVE-2018-1090 https://bugzilla.redhat.com/show_bug.cgi?id=1560035 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 8.1EPSS: 0%CPEs: 13EXPL: 0

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration. pulp-consumer-client desde la versión 2.4.0 hasta la 2.6.3 no verifica las firmas del certificado TLS del servidor cuando recupera la clave pública de este al registrarse. • http://cve.killedkenny.io/cve/CVE-2015-5263 http://www.openwall.com/lists/oss-security/2015/09/24/4 https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103 https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754 • CWE-295: Improper Certificate Validation •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords. Pulp en sus versiones anteriores a 2.8.5 usa la varible $RANDOM del bash de manera insegura para la generación de contraseñas. Pulp makes unsafe use of Bash's $RANDOM to generate a NSS DB password and seed resulting in insufficient randomness. An attacker could potentially guess the seed used given enough time and compute resources. • https://access.redhat.com/errata/RHSA-2018:0336 https://bugzilla.redhat.com/show_bug.cgi?id=1330264 https://docs.pulpproject.org/user-guide/release-notes/2.8.x.html#pulp-2-8-5 https://github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L25 https://github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L97-L105 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YM2LCC7QBRCK4LTN5EZT5OHTVAR3MYTY https:&# • CWE-255: Credentials Management Errors CWE-330: Use of Insufficiently Random Values •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key. El script pulp-qpid-ssl-cfg en Pulp anterior a la versión 2.8.5 permite a usuarios locales obtener la clave de autoridad de certificación. It was found that the private CA key was created in a directory that is world-readable for a small amount of time. A local user could possibly use this flaw to gain access to the private key information in the file. • https://access.redhat.com/errata/RHSA-2018:0336 https://bugzilla.redhat.com/show_bug.cgi?id=1328930 https://docs.pulpproject.org/user-guide/release-notes/2.8.x.html#pulp-2-8-5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YM2LCC7QBRCK4LTN5EZT5OHTVAR3MYTY https://pulp.plan.io/issues/1854 https://access.redhat.com/security/cve/CVE-2016-3696 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •