CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3010 – ceph-deploy: keyring permissions are world readable in ~ceph
https://notcve.org/view.php?id=CVE-2015-3010
ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file. ceph-deploy anterior a 1.5.23 utiliza permisos débiles (644) para ceph/ceph.client.admin.keyring, lo que permite a usuarios locales obtener información sensible mediante la lectura del fichero. It was discovered that ceph-deploy, a utility for deploying Red Hat Ceph Storage, would create the keyring file with world readable permissions, which could possibly allow a local user to obtain authentication credentials from the keyring file. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155576.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155631.html http://rhn.redhat.com/errata/RHSA-2015-1092.html http://www.openwall.com/lists/oss-security/2015/04/09/11 http://www.openwall.com/lists/oss-security/2015/04/09/9 http://www.securityfocus.com/bid/74043 https://bugzilla.suse.com/show_bug.cgi?id=920926 https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08d • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4053 – ceph-deploy admin command copies keyring file to /etc/ceph which is world readable
https://notcve.org/view.php?id=CVE-2015-4053
The admin command in ceph-deploy before 1.5.25 uses world-readable permissions for /etc/ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file. El comando de administración en ceph-deploy anterior a 1.5.25 utiliza permisos de lectura universal para /etc/ceph/ceph.client.admin.keyring, lo que permite a usuarios locales obtener información sensible mediante la lectura del fichero. It was discovered that ceph-deploy, a utility for deploying Red Hat Ceph Storage, would create the keyring file with world readable permissions, which could possibly allow a local user to obtain authentication credentials from the keyring file. • http://rhn.redhat.com/errata/RHSA-2015-1092.html http://tracker.ceph.com/issues/11694 http://www.openwall.com/lists/oss-security/2015/04/09/9 http://www.openwall.com/lists/oss-security/2015/05/22/1 http://www.securityfocus.com/bid/74775 https://access.redhat.com/security/cve/CVE-2015-4053 https://bugzilla.redhat.com/show_bug.cgi?id=1224129 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •