QwikSec

Security Database

CVE

CWE

Training

CVE-2014-5247

Published: Aug 29, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0

x_refsource_CONFIRM

ganeti-gntcluster-info-disc(95256)

vdb-entry

x_refsource_XF

http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html

x_refsource_MISC

20140812 [oCERT-2014-006] Ganeti insecure archive permission

mailing-list

x_refsource_BUGTRAQ

vdb-entry

x_refsource_BID

[oss-security] 20140814 Re: [oCERT-2014-006] Ganeti insecure archive permission

mailing-list

x_refsource_MLIST

http://www.ocert.org/advisories/ocert-2014-006.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.