CVE-2014-5247

The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:spi-inc:ganeti:2.10.0:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.0:beta1:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.0:rc1:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.0:rc2:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.0:rc3:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.1:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.2:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.3:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.4:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.5:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.10.6:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.11.0:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.11.0:beta1:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.11.0:rc1:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.11.1:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.11.2:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.11.3:*:*:*:*:*:*:*
cpe:2.3:a:spi-inc:ganeti:2.11.4:*:*:*:*:*:*:*

History

21 Nov 2024, 02:11

Type Values Removed Values Added
References () http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0 - () http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0 -
References () http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html - Exploit () http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html - Exploit
References () http://seclists.org/oss-sec/2014/q3/370 - () http://seclists.org/oss-sec/2014/q3/370 -
References () http://www.ocert.org/advisories/ocert-2014-006.html - US Government Resource () http://www.ocert.org/advisories/ocert-2014-006.html - US Government Resource
References () http://www.securityfocus.com/archive/1/533119/100/0/threaded - () http://www.securityfocus.com/archive/1/533119/100/0/threaded -
References () http://www.securityfocus.com/bid/69186 - () http://www.securityfocus.com/bid/69186 -
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/95256 - () https://exchange.xforce.ibmcloud.com/vulnerabilities/95256 -

07 Nov 2023, 02:20

Type Values Removed Values Added
References
  • {'url': 'http://git.ganeti.org/?p=ganeti.git;a=commit;h=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0', 'name': 'http://git.ganeti.org/?p=ganeti.git;a=commit;h=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0', 'tags': ['Patch'], 'refsource': 'CONFIRM'}
  • () http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0 -

Information

Published : 2014-08-29 16:55

Updated : 2024-11-21 02:11


NVD link : CVE-2014-5247

Mitre link : CVE-2014-5247

CVE.ORG link : CVE-2014-5247


JSON object : View

Products Affected

spi-inc

  • ganeti
CWE
CWE-264

Permissions, Privileges, and Access Controls