Skip to main content

Pulp CVE-2015-5263

HIGH
Improper Certificate Validation (CWE-295)
2017-09-25 secalert@redhat.com
8.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 25, 2017 - 21:29 cve.org
HIGH 8.1

DescriptionCVE.org

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.

AnalysisAI

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-295. pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration. Affected products include: Pulpproject Pulp. Version information: through 2.6.3.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Pulp

View all
CVE-2016-3095 MEDIUM POC
5.5 Jun 08

server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows local users to read the generated private key. Rated medi

CVE-2015-5153 HIGH
8.8 Aug 18

Pulp does not remove permissions for named objects upon deletion, which allows authenticated users to gain the privilege

CVE-2024-7143 HIGH
8.3 Aug 07

A flaw was found in the Pulp package. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low at

CVE-2016-3704 HIGH
7.5 Jun 13

Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords. Rated high severity (CVSS 7.5), this vulne

CVE-2016-3112 HIGH
7.5 Jun 08

client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as w

CVE-2013-7450 HIGH
7.5 Apr 03

Pulp before 2.3.0 uses the same the same certificate authority key and certificate for all installations. Rated high sev

CVE-2018-1090 HIGH
7.5 Jun 18

In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable t

CVE-2016-3108 HIGH
7.1 Jun 08

The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary fil

CVE-2018-10917 MEDIUM
6.5 Aug 15

pulp 2.16.x and possibly older is vulnerable to an improper path parsing. Rated medium severity (CVSS 6.5), this vulnera

CVE-2016-3696 MEDIUM
5.5 Jun 13

The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key. Rated medium severity (CVSS 5

CVE-2016-3111 MEDIUM
5.5 Jun 08

pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the p

CVE-2016-3107 MEDIUM
5.5 Jun 08

The Node certificate in Pulp before 2.8.3 contains the private key, and is stored in a world-readable file in the "/etc/

Share

CVE-2015-5263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy