7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
It was discovered that ganeti, a virtual server cluster manager, does
not validate the path of scripts passed as arguments to certain
commands, which allows local or remote users (via the web interface in
versions 2.x) to execute arbitrary commands on a host acting as a
cluster master.
The oldstable distribution (etch) does not include ganeti.
For the stable distribution (lenny), this problem has been fixed in
version 1.2.6-3+lenny2.
For the testing distribution (squeeze), this problem will be fixed
in version 2.0.5-1.
For the unstable distribution (sid), this problem has been fixed in
version 2.0.5-1.
We recommend that you upgrade your ganeti packages.