pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2019:1222 | |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10917 | Issue Tracking Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
12 Feb 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
Summary | pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories. | |
References |
|
02 Feb 2023, 15:17
Type | Values Removed | Values Added |
---|---|---|
Summary | A path traversal flaw was found in the ISO repository plugin for pulp. An attacker, with access to a repository feeding pulp can carefully craft his repository to overwrite arbitrary files owned by the Apache webserver. | |
References |
|
Information
Published : 2018-08-15 17:29
Updated : 2023-12-10 12:44
NVD link : CVE-2018-10917
Mitre link : CVE-2018-10917
CVE.ORG link : CVE-2018-10917
JSON object : View
Products Affected
pulpproject
- pulp
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')