CVE-2018-1090 — Sensitive Information Exposure in Pulp

CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

7.5HIGHNVD

CNA5.5

EPSS

0.3%

top 49.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pulpproject Pulp Redhat Satellite

Timeline

PublishedJun 18

Latest updateMay 13

Description

In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDpulpproject/pulp< 2.16.2

▶NVDredhat/satellite6.4

🔴Vulnerability Details

GHSA

GHSA-4j55-qh92-5qjq: In Pulp before version 2↗2022-05-13

▶

CVEList

CVE-2018-1090: In Pulp before version 2↗2018-06-18

▶

📋Vendor Advisories

Red Hat

pulp: sensitive credentials revealed through the API↗2018-03-23

▶

💬Community

Bugzilla

CVE-2018-1090 pulp: sensitive credentials revealed through the API↗2018-03-23

▶

Bugzilla

CVE-2018-1090 pulp: sensitive credentials revealed through the API [fedora-all]↗2018-03-23

▶