Skip to main content

Pulp CVE-2018-1090

HIGH
Information Exposure (CWE-200)
2018-06-18 secalert@redhat.com
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 18, 2018 - 14:29 nvd
HIGH 7.5

DescriptionNVD

In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.

AnalysisAI

In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets. Affected products include: Pulpproject Pulp, Fedoraproject Fedora, Redhat Satellite. Version information: version 2.16.2.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

More in Pulp

View all
CVE-2016-3095 MEDIUM POC
5.5 Jun 08

server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows local users to read the generated private key. Rated medi

CVE-2015-5153 HIGH
8.8 Aug 18

Pulp does not remove permissions for named objects upon deletion, which allows authenticated users to gain the privilege

CVE-2024-7143 HIGH
8.3 Aug 07

A flaw was found in the Pulp package. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low at

CVE-2015-5263 HIGH
8.1 Sep 25

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the serv

CVE-2016-3704 HIGH
7.5 Jun 13

Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords. Rated high severity (CVSS 7.5), this vulne

CVE-2016-3112 HIGH
7.5 Jun 08

client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as w

CVE-2013-7450 HIGH
7.5 Apr 03

Pulp before 2.3.0 uses the same the same certificate authority key and certificate for all installations. Rated high sev

CVE-2016-3108 HIGH
7.1 Jun 08

The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary fil

CVE-2018-10917 MEDIUM
6.5 Aug 15

pulp 2.16.x and possibly older is vulnerable to an improper path parsing. Rated medium severity (CVSS 6.5), this vulnera

CVE-2016-3696 MEDIUM
5.5 Jun 13

The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key. Rated medium severity (CVSS 5

CVE-2016-3111 MEDIUM
5.5 Jun 08

pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the p

CVE-2016-3107 MEDIUM
5.5 Jun 08

The Node certificate in Pulp before 2.8.3 contains the private key, and is stored in a world-readable file in the "/etc/

Share

CVE-2018-1090 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy