CVE-2016-3107 — Improper Access Control in Pulp

CWE-284 — Improper Access Control CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 91.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pulpproject Pulp

Timeline

PublishedJun 8

Latest updateMay 14

Description

The Node certificate in Pulp before 2.8.3 contains the private key, and is stored in a world-readable file in the "/etc/pki/pulp/nodes/" directory, which allows local users to gain access to sensitive data.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDpulpproject/pulp2.8.2-1

Patches

Patch: pulp.plan.io ↗Patch: pulp.plan.io ↗

🔴Vulnerability Details

GHSA

GHSA-v3xg-vpph-2hjg: The Node certificate in Pulp before 2↗2022-05-14

▶

CVEList

CVE-2016-3107: The Node certificate in Pulp before 2↗2017-06-08

▶

📋Vendor Advisories

Red Hat

pulp: Node certificate containing private key stored in world-readable file↗2016-04-13

▶

💬Community

Bugzilla

CVE-2016-3107 pulp: Node certificate containing private key stored in world-readable file↗2016-04-11

▶