CVE-2018-10917
pulp: Improper path parsing leads to overwriting of iso repositories
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
pulp en versiones 2.16.x y, posiblemente, anteriores, es vulnerable a un anĂ¡lisis de ruta incorrecto. Un usuario malicioso o un repositorio de feeds de ISO malicioso puede escribir en ubicaciones accesibles al usuario "apache". Esto podrĂa conducir a la sobrescritura de contenido publicado en otros repositorios iso.
A path traversal flaw was found in the ISO repository plugin for pulp. An attacker, with access to a repository feeding pulp can carefully craft his repository to overwrite arbitrary files owned by the Apache webserver.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-05-09 CVE Reserved
- 2018-08-15 CVE Published
- 2024-06-24 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10917 | Issue Tracking |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:1222 | 2023-02-12 | |
https://access.redhat.com/security/cve/CVE-2018-10917 | 2019-05-14 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1598928 | 2019-05-14 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Pulpproject Search vendor "Pulpproject" | Pulp Search vendor "Pulpproject" for product "Pulp" | <= 2.16.0 Search vendor "Pulpproject" for product "Pulp" and version " <= 2.16.0" | - |
Affected
| ||||||
Pulpproject Search vendor "Pulpproject" | Pulp Search vendor "Pulpproject" for product "Pulp" | 2.16.1 Search vendor "Pulpproject" for product "Pulp" and version "2.16.1" | - |
Affected
| ||||||
Pulpproject Search vendor "Pulpproject" | Pulp Search vendor "Pulpproject" for product "Pulp" | 2.16.2 Search vendor "Pulpproject" for product "Pulp" and version "2.16.2" | - |
Affected
| ||||||
Pulpproject Search vendor "Pulpproject" | Pulp Search vendor "Pulpproject" for product "Pulp" | 2.16.4 Search vendor "Pulpproject" for product "Pulp" and version "2.16.4" | - |
Affected
|