CVE-2016-3112
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading /etc/pki/pulp/consumer/consumer-cert, and authenticating as a consumer user.
client/consumer/cli.py en Pulp, en versiones anteriores a la 2.8.3, escribe claves privadas del usuario en etc/pki/pulp/consumer/consumer-cert.pem de forma legible para todos los usuarios, lo que permite que usuarios autenticados remotos obtengan las claves privadas de los consumidores y eleven privilegios mediante la lectura de /etc/pki/pulp/consumer/consumer-cert y autenticándose como el usuario consumidor.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-03-10 CVE Reserved
- 2017-06-08 CVE Published
- 2023-05-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-284: Improper Access Control
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2016/05/20/1 | Mailing List | |
https://bugzilla.redhat.com/attachment.cgi?id=1146538 | Issue Tracking | |
https://bugzilla.redhat.com/show_bug.cgi?id=1326242 | Issue Tracking |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://pulp.plan.io/issues/1834 | 2023-02-13 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHBA-2016:1501 | 2023-02-13 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Pulpproject Search vendor "Pulpproject" | Pulp Search vendor "Pulpproject" for product "Pulp" | <= 2.8.2-1 Search vendor "Pulpproject" for product "Pulp" and version " <= 2.8.2-1" | - |
Affected
|