Lucene search

Ubuntu.comUB:CVE-2014-5247

HistoryAug 29, 2014 - 12:00 a.m.

CVE-2014-5247

2014-08-2900:00:00

ubuntu.com

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.001

Percentile

15.9%

JSON

The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py
in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable
permissions for the configuration backup file, which allows local users to
obtain SSL keys, remote API credentials, and other sensitive information by
reading the file, related to the upgrade command.

References

www.ocert.org/advisories/ocert-2014-006.html

launchpad.net/bugs/cve/CVE-2014-5247

nvd.nist.gov/vuln/detail/CVE-2014-5247

security-tracker.debian.org/tracker/CVE-2014-5247

www.cve.org/CVERecord?id=CVE-2014-5247

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.001

Percentile

15.9%

JSON

Related for UB:CVE-2014-5247