CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15111 – keycloak-httpd-client-install: unsafe /tmp log file in --log-file option in keycloak_cli.py
https://notcve.org/view.php?id=CVE-2017-15111
keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link. keycloak-httpd-client-install, en versiones anteriores a la 0.8, crea archivos temporales de forma insegura, lo que permite que atacantes locales sobrescriban otros archivos mediante un enlace simbólico. It was discovered that keycloak-httpd-client-install uses a predictable log file name in /tmp. A local attacker could create a symbolic link to a sensitive location, possibly causing data corruption or denial of service. • https://access.redhat.com/errata/RHSA-2019:2137 https://github.com/jdennis/keycloak-httpd-client-install/commit/07f26e213196936fb328ea0c1d5a66a09d8b5440 https://access.redhat.com/security/cve/CVE-2017-15111 https://bugzilla.redhat.com/show_bug.cgi?id=1511623 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-377: Insecure Temporary File •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15112 – keycloak-httpd-client-install: unsafe use of -p/--admin-password on command line
https://notcve.org/view.php?id=CVE-2017-15112
keycloak-httpd-client-install versions before 0.8 allow users to insecurely pass password through command line, leaking it via command history and process info to other local users. keycloak-httpd-client-install, en versiones anteriores a la 0.8, permite que los usuarios pasen la contraseña de forma no segura a través de la línea de comandos, filtrándola mediante el historial de comandos y procesen la información a otros usuarios locales. In keycloak-http-client-install prior to version 0.8, the admin password could be provided through a command-line argument. This might result in the password being leaked through shell history, or becoming visible to a local attacker at the time the program is running. • https://access.redhat.com/errata/RHSA-2019:2137 https://github.com/jdennis/keycloak-httpd-client-install/commit/c3121b271abaaa1a76de2b9ae89dacde0105cd75 https://access.redhat.com/security/cve/CVE-2017-15112 https://bugzilla.redhat.com/show_bug.cgi?id=1511626 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •