CVE-2016-3111

Published on: 06/08/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:03 PM UTC

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Certain versions of Pulp from Pulpproject contain the following vulnerability:

pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running.

  • CVE-2016-3111 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 5.5 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL LOW LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVSS2 Score: 2.1 - LOW

Access
Vector
Access
Complexity
Authentication
LOCAL LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
Page not found :'( - src.fedoraproject.org Issue Tracking
Patch
Third Party Advisory
pkgs.fedoraproject.org
text/html
Inactive LinkNot Archived
URL Logo MISC pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n317
Issue Tracking
bugzilla.redhat.com
text/x-diff
CONFIRM bugzilla.redhat.com/attachment.cgi?id=1146522
Page not found :'( - src.fedoraproject.org Issue Tracking
Patch
Third Party Advisory
pkgs.fedoraproject.org
text/html
Inactive LinkNot Archived
URL Logo MISC pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n620
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHBA-2016:1501
Page not found · GitHub · GitHub Issue Tracking
Patch
Third Party Advisory
github.com
text/html
Inactive LinkNot Archived
URL Logo CONFIRM github.com/pulp/pulp/blob/master/pulp.spec#L473-L486
oss-security - Pulp 2.8.3 Released to address multiple CVEs Mailing List
Third Party Advisory
www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160519 Pulp 2.8.3 Released to address multiple CVEs
Issue #1837: CVE-2016-3111: pulp.spec generates its RSA keys for message signing insecurely - Pulp Patch
Vendor Advisory
pulp.plan.io
text/html
URL Logo CONFIRM pulp.plan.io/issues/1837
1326251 – (CVE-2016-3111) CVE-2016-3111 pulp: Race condition when generating RSA keys for authenticating messages between server and consumers Issue Tracking
Patch
bugzilla.redhat.com
text/html
URL Logo CONFIRM bugzilla.redhat.com/show_bug.cgi?id=1326251
Page not found · GitHub · GitHub Issue Tracking
Patch
Third Party Advisory
github.com
text/html
Inactive LinkNot Archived
URL Logo CONFIRM github.com/pulp/pulp/blob/master/pulp.spec#L894-L903

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationPulpprojectPulpAllAllAllAll
  • cpe:2.3:a:pulpproject:pulp:*:*:*:*:*:*:*:*: