CVE-2016-3108Link Following in Pulp

CWE-59Link FollowingCWE-377Insecure Temporary File5 documents5 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 87.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pulpproject Pulp
Timeline
PublishedJun 8
Latest updateMay 14

Description

The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages1 packages

NVDpulpproject/pulp2.8.2-1

Patches

Patch: github.comPatch: pulp.plan.ioPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-2wh2-4qxg-w52c: The pulp-gen-nodes-certificate script in Pulp before 22022-05-14
CVEList
CVE-2016-3108: The pulp-gen-nodes-certificate script in Pulp before 22017-06-08

📋Vendor Advisories

1
Red Hat
pulp: Insecure temporary file used when generating certificate for Pulp Nodes2016-04-13

💬Community

1
Bugzilla
CVE-2016-3108 pulp: Insecure temporary file used when generating certificate for Pulp Nodes2016-04-11
CVE-2016-3108 — Link Following in Pulpproject Pulp | cvebase