The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2018:0336 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1328930 | Issue Tracking |
https://docs.pulpproject.org/user-guide/release-notes/2.8.x.html#pulp-2-8-5 | Permissions Required |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YM2LCC7QBRCK4LTN5EZT5OHTVAR3MYTY/ | |
https://pulp.plan.io/issues/1854 | Issue Tracking Vendor Advisory |
Configurations
History
13 Feb 2023, 04:50
Type | Values Removed | Values Added |
---|---|---|
Summary | The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key. | |
References |
|
02 Feb 2023, 15:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | It was found that the private CA key was created in a directory that is world-readable for a small amount of time. A local user could possibly use this flaw to gain access to the private key information in the file. |
Information
Published : 2017-06-13 16:29
Updated : 2023-12-10 12:15
NVD link : CVE-2016-3696
Mitre link : CVE-2016-3696
CVE.ORG link : CVE-2016-3696
JSON object : View
Products Affected
fedoraproject
- fedora
pulpproject
- pulp
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor