CVE-2016-3111 — Sensitive Information Exposure in Pulp

CWE-200 — Sensitive Information Exposure CWE-362 — Race Condition5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 85.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pulpproject Pulp

Timeline

PublishedJun 8

Latest updateMay 14

Description

pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDpulpproject/pulp2.8.2-1

Patches

Patch: pkgs.fedoraproject.org ↗Patch: pkgs.fedoraproject.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-fgrp-5xv9-qv52: pulp↗2022-05-14

▶

CVEList

CVE-2016-3111: pulp↗2017-06-08

▶

📋Vendor Advisories

Red Hat

pulp: Race condition when generating RSA keys for authenticating messages between server and consumers↗2016-04-13

▶

💬Community

Bugzilla

CVE-2016-3111 pulp: Race condition when generating RSA keys for authenticating messages between server and consumers↗2016-04-12

▶