CVE-2016-3704

Published on: 06/13/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:02 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Certain versions of Fedora from Fedoraproject contain the following vulnerability:

Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords.

  • CVE-2016-3704 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE HIGH NONE

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
pulp/pulp-qpid-ssl-cfg at pulp-2.8.2-1 · pulp/pulp · GitHub Issue Tracking
Patch
Third Party Advisory
github.com
text/html
URL Logo MISC github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L97-L105
Issue #1858: CVE-2016-3704: Unsafe use of bash $RANDOM for NSS DB password and seed - Pulp Issue Tracking
Patch
Vendor Advisory
pulp.plan.io
text/html
URL Logo CONFIRM pulp.plan.io/issues/1858
Pulp 2.8 Release Notes — Pulp Project 2.13.1 documentation Permissions Required
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM docs.pulpproject.org/user-guide/release-notes/2.8.x.html#pulp-2-8-5
[SECURITY] Fedora 24 Update: pulp-2.8.6-1.fc24 - package-announce - Fedora Mailing-Lists Patch
Third Party Advisory
lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-4373f7d32a
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2018:0336
pulp/pulp-qpid-ssl-cfg at pulp-2.8.2-1 · pulp/pulp · GitHub Issue Tracking
Patch
Third Party Advisory
github.com
text/html
URL Logo MISC github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L25
1330264 – (CVE-2016-3704) CVE-2016-3704 pulp: Unsafe use of bash $RANDOM for NSS DB password and seed Issue Tracking
Patch
bugzilla.redhat.com
text/html
URL Logo CONFIRM bugzilla.redhat.com/show_bug.cgi?id=1330264

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
FedoraprojectFedora24AllAllAll
Operating
System
FedoraprojectFedora24AllAllAll
ApplicationPulpprojectPulpAllAllAllAll
  • cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*:
  • cpe:2.3:a:pulpproject:pulp:*:*:*:*:*:*:*:*: