Spi-Inc Ganeti vulnerabilities
4 known vulnerabilities affecting spi-inc/ganeti.
Total CVEs
4
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH3LOW1
Vulnerabilities
Page 1 of 1
CVE-2015-7945P2HIGHCVSS 7.5PoC≤ 2.9.6v2.10.0+28 more2017-08-18
CVE-2015-7945 [HIGH] CWE-200 CVE-2015-7945: The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.
nvdosv
CVE-2015-7944P3HIGHCVSS 7.5PoC≤ 2.9.6v2.10.0+28 more2017-08-18
CVE-2015-7944 [HIGH] CWE-399 CVE-2015-7944: The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2, when used in SSL mode, allows remote attackers to cause a denial of service (resource consumption) via SSL parameter renegotiation.
nvdosv
CVE-2009-4261P3HIGHCVSS 7.5≥ 0, < 2.0.5-12009-12-21
CVE-2009-4261 [HIGH] CVE-2009-4261: Multiple directory traversal vulnerabilities in the iallocator framework in Ganeti 1
Multiple directory traversal vulnerabilities in the iallocator framework in Ganeti 1.2.4 through 1.2.8, 2.0.0 through 2.0.4, and 2.1.0 before 2.1.0~rc2 allow (1) remote attackers to execute arbitrary programs via a crafted external script name supplied through the HTTP remote API (RAPI) and allow (2) local users to execute arbitrary programs and gain privileges via a crafted e
osv
CVE-2014-5247P4LOWCVSS 2.1v2.10.0v2.10.1+10 more2014-08-29
CVE-2014-5247 [LOW] CWE-264 CVE-2014-5247: The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
nvdosv