13 matches found
CVE-2024-7143
CVE-2024-7143 – Affected: Pulp RBAC object creation using AutoAddObjPermsMixin; root cause is that the system determines the object creator from the current authenticated user, which on tasks is inherited from the oldest user with task permissions. As a result, permissions on objects created with...
CVE-2018-1090
In Pulp (before version 2.16.2), secrets are passed into override_config when triggering a task, making them readable to any user with read access on the distributor/importer. This leads to information disclosure via the API: an attacker with API access can view sensitive credentials. The issue i...
CVE-2018-10917
CVE-2018-10917 concerns Pulp (version 2.16.x and possibly older) with an improper path parsing vulnerability. A malicious user or malicious ISO feed repository could write to locations accessible to the apache user, potentially overwriting published content in other ISO repositories. Public recor...
CVE-2016-3696
CVE-2016-3696 concerns Pulp prior to 2.8.5 where the pulp-qpid-ssl-cfg script can leak the CA key to local users. The linked OpenVAS/NVD entries confirm exposure via the pulp-qpid-ssl-cfg handling, with impact limited to confidentiality of the CA key (no broader compromise described). Red Hat adv...
CVE-2016-3704
CVE-2016-3704 affects Pulp prior to 2.8.5, arising from the unsafe use of bash $RANDOM to generate NSS DB passwords/seeds. This Legacy issue is documented in Red Hat/Satellite advisories and Fedora/OpenVAS entries; exploitation details are not described in the provided docs. Remediation per sourc...
CVE-2016-3107
CVE-2016-3107 affects Pulp: the Node certificate private key is stored in a world‑readable file under /etc/pki/pulp/nodes/, enabling local users to access sensitive data. Affected versions: Pulp before 2.8.3. Root cause: insecure file permissions on the node certificate. Impact: potential disclos...
CVE-2016-3112
The CVE-2016-3112 issue affects Pulp before 2.8.3, where client/consumer/cli.py writes consumer private keys to /etc/pki/pulp/consumer/consumer-cert.pem as world-readable. This allows remote authenticated users to read the consumer private keys and escalate privileges by authenticating as a consu...
CVE-2016-3111
CVE-2016-3111 affects Pulp 2.8.3 during installation. The root cause is that the build/install process (pulp.spec) generates RSA key pairs in a directory that is temporarily world-readable, potentially allowing local users to read the keys while the installation runs. The available connected sour...
CVE-2016-3108
CVE-2016-3108 affects the pulp-gen-nodes-certificate script in Pulp (before 2.8.3). The vulnerability allows local users to leak keys or write to arbitrary files via a symlink attack . This aligns with the NVD entry describing the issue and the CVSS3 vector indicating local access, low attack com...
CVE-2015-5263
The CVE-2015-5263 issue affects pulp-consumer-client versions 2.4.0 through 2.6.3. Concrete detail from connected CNVD entry: a design flaw where the client fails to detect the server’s TLS certificate signature when obtaining the server’s public key during registration. Reported impact states an...
CVE-2016-3095
CVE-2016-3095 affects Pulp prior to 2.8.2. The vulnerability arises in the script server/bin/pulp-gen-ca-certificate, which creates a private key in a world-readable file, allowing local users to read the CA private key. Public sources (NVD, CNVD, osv.dev, Fedora advisory) consistently state this...
CVE-2016-3106
CVE-2016-3106 : Pulp before 2.8.3 creates a temporary directory during CA key generation in an insecure manner, enabling potential exposure of sensitive data. The vulnerability affects Pulp’s CA key generation process; CVSS vectors indicate network access with low complexity and partial confident...
CVE-2013-7450
CVE-2013-7450 affects Pulp versions before 2.3.0. The root cause is that the same CA key and certificate are used across all installations, creating a single trusted-trust anchor per deployment. Reported impact includes potential modification of the CA certificate, undermining PKI trust. Exploita...