QwikSec

Security Database

CVE

CWE

Training

CVE-2016-3111

Published: Jun 8, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n620

x_refsource_MISC

http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n317

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=1326251

x_refsource_CONFIRM

https://bugzilla.redhat.com/attachment.cgi?id=1146522

x_refsource_CONFIRM

vendor-advisory

x_refsource_REDHAT

https://pulp.plan.io/issues/1837

x_refsource_CONFIRM

https://github.com/pulp/pulp/blob/master/pulp.spec#L894-L903

x_refsource_CONFIRM

[oss-security] 20160519 Pulp 2.8.3 Released to address multiple CVEs

mailing-list

x_refsource_MLIST

https://github.com/pulp/pulp/blob/master/pulp.spec#L473-L486

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.