CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3593 – luci: privilege escalation through cluster with specially crafted configuration
https://notcve.org/view.php?id=CVE-2014-3593
14 Oct 2014 — Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. Vulnerabilidad de inyección Eval en luci 0.26.0 permite a usuarios remotos autenticados con ciertos permisos, ejecutar código Python arbitrario a través de la manipulación del configuración del cluster. It was discovered that luci used eval() on inputs containing strings from the cluster configuration file when generating its web pages. ... • http://rhn.redhat.com/errata/RHSA-2014-1390.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4481 – luci: short exposure of authentication secrets while generating configuration file
https://notcve.org/view.php?id=CVE-2013-4481
21 Nov 2013 — Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as "authentication secrets." Condición de carrera en Luci 0.26.0 crea /var/lib/luci/etc/luci.ini con permisos de escritura antes de restringir los permisos, lo que permite a usuarios locales leer archivos y obtener información sensible, tal como los "secretos de autenticación". A flaw was found in ... • http://rhn.redhat.com/errata/RHSA-2013-1603.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4482 – luci: paster hidden untrusted path and "command" (callable association) injection
https://notcve.org/view.php?id=CVE-2013-4482
21 Nov 2013 — Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in the (1) current working directory or (2) its parent directories. Vulnerabilidad de ruta de búsqueda no confiable en python-paste-script (también conocido como paster) en Luci 0.26.0, cuando se comienza a usar el initscript, permite a usuarios locales obtener privilegios a través de un caballo de troya en el archi... • http://rhn.redhat.com/errata/RHSA-2013-1603.html •