CVE-2016-3112

Published on: 06/08/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:01 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Pulp from Pulpproject contain the following vulnerability:

client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading /etc/pki/pulp/consumer/consumer-cert, and authenticating as a consumer user.

  • CVE-2016-3112 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
Issue #1834: CVE-2016-3112: Pulp consumer private keys are world-readable - Pulp Patch
Vendor Advisory
pulp.plan.io
text/html
URL Logo CONFIRM pulp.plan.io/issues/1834
1326242 – (CVE-2016-3112) CVE-2016-3112 pulp: Agent certificate containing private key is stored in world-readable file Issue Tracking
bugzilla.redhat.com
text/html
URL Logo CONFIRM bugzilla.redhat.com/show_bug.cgi?id=1326242
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHBA-2016:1501
oss-security - Pulp 2.8.3 Released to address multiple CVEs Mailing List
Third Party Advisory
www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160519 Pulp 2.8.3 Released to address multiple CVEs
Issue Tracking
bugzilla.redhat.com
text/x-diff
CONFIRM bugzilla.redhat.com/attachment.cgi?id=1146538

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationPulpprojectPulpAllAllAllAll
  • cpe:2.3:a:pulpproject:pulp:*:*:*:*:*:*:*:*: