CVE-2014-5247
published 2014-08-29CVE-2014-5247: The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable…
PriorityP46low2.1CVSS 2.0
AVLACLAuNCPINAN
EPSS
0.49%
38.5th percentile
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ganeti | < ganeti 2.11.5-1 (bookworm) | ganeti 2.11.5-1 (bookworm) |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | >= 0 < 2.11.5-1 | 2.11.5-1 |
| spi-inc | ganeti | >= 0 < 2.11.5-1 | 2.11.5-1 |
| spi-inc | ganeti | >= 0 < 2.11.5-1 | 2.11.5-1 |
CVSS provenance
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv2.1LOW
vendor_debian2.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rqwx-x2jv-r288: The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster
ghsa_unreviewed·2022-05-13
CVE-2014-5247 [LOW] GHSA-rqwx-x2jv-r288: The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
OSV
CVE-2014-5247: The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster
osv·2014-08-29·CVSS 2.1
CVE-2014-5247 [LOW] CVE-2014-5247: The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
Debian
CVE-2014-5247: ganeti - The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in G...
vendor_debian·2014·CVSS 2.1
CVE-2014-5247 [LOW] CVE-2014-5247: ganeti - The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in G...
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
Scope: local
bookworm: resolved (fixed in 2.11.5-1)
bullseye: resolved (fixed in 2.11.5-1)
sid: resolved (fixed in 2.11.5-1)
trixie: resolved (fixed in 2.11.5-1)
No detection rules found.
No writeups or analysis indexed.
http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.htmlhttp://seclists.org/oss-sec/2014/q3/370http://www.ocert.org/advisories/ocert-2014-006.htmlhttp://www.securityfocus.com/archive/1/533119/100/0/threadedhttp://www.securityfocus.com/bid/69186https://exchange.xforce.ibmcloud.com/vulnerabilities/95256http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.htmlhttp://seclists.org/oss-sec/2014/q3/370http://www.ocert.org/advisories/ocert-2014-006.htmlhttp://www.securityfocus.com/archive/1/533119/100/0/threadedhttp://www.securityfocus.com/bid/69186https://exchange.xforce.ibmcloud.com/vulnerabilities/95256
2014-08-29
Published