cbcvebase.
CVE-2014-5247
published 2014-08-29

CVE-2014-5247: The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable…

PriorityP46low2.1CVSS 2.0
AVLACLAuNCPINAN
EPSS
0.49%
38.5th percentile
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.

Affected

16 ranges
VendorProductVersion rangeFixed in
debianganeti< ganeti 2.11.5-1 (bookworm)ganeti 2.11.5-1 (bookworm)
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti>= 0 < 2.11.5-12.11.5-1
spi-incganeti>= 0 < 2.11.5-12.11.5-1
spi-incganeti>= 0 < 2.11.5-12.11.5-1

CVSS provenance

nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv2.1LOW
vendor_debian2.1LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.