The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 02:11
Type | Values Removed | Values Added |
---|---|---|
References | () http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0 - | |
References | () http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html - Exploit | |
References | () http://seclists.org/oss-sec/2014/q3/370 - | |
References | () http://www.ocert.org/advisories/ocert-2014-006.html - US Government Resource | |
References | () http://www.securityfocus.com/archive/1/533119/100/0/threaded - | |
References | () http://www.securityfocus.com/bid/69186 - | |
References | () https://exchange.xforce.ibmcloud.com/vulnerabilities/95256 - |
07 Nov 2023, 02:20
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2014-08-29 16:55
Updated : 2024-11-21 02:11
NVD link : CVE-2014-5247
Mitre link : CVE-2014-5247
CVE.ORG link : CVE-2014-5247
JSON object : View
Products Affected
spi-inc
- ganeti
CWE
CWE-264
Permissions, Privileges, and Access Controls