CVE-2016-3107

Published on: 06/08/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:01 PM UTC

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Certain versions of Pulp from Pulpproject contain the following vulnerability:

The Node certificate in Pulp before 2.8.3 contains the private key, and is stored in a world-readable file in the "/etc/pki/pulp/nodes/" directory, which allows local users to gain access to sensitive data.

  • CVE-2016-3107 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 5.5 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL LOW LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVSS2 Score: 2.1 - LOW

Access
Vector
Access
Complexity
Authentication
LOCAL LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
1325930 – (CVE-2016-3107) CVE-2016-3107 pulp: Node certificate containing private key stored in world-readable file Issue Tracking
bugzilla.redhat.com
text/html
URL Logo CONFIRM bugzilla.redhat.com/show_bug.cgi?id=1325930
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHBA-2016:1501
Issue Tracking
bugzilla.redhat.com
text/x-diff
CONFIRM bugzilla.redhat.com/attachment.cgi?id=1146471
oss-security - Pulp 2.8.3 Released to address multiple CVEs Mailing List
Third Party Advisory
www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160519 Pulp 2.8.3 Released to address multiple CVEs
Issue #1833: CVE-2016-3107: Node certificate containing private key stored in world-readable file - Pulp Patch
Vendor Advisory
pulp.plan.io
text/html
URL Logo CONFIRM pulp.plan.io/issues/1833

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationPulpprojectPulpAllAllAllAll
  • cpe:2.3:a:pulpproject:pulp:*:*:*:*:*:*:*:*: