Pulp
Sign in to watchby Pulpproject
CVEs (6)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-5153 | Hig | 0.57 | 8.8 | 0.00 | Aug 18, 2017 | Pulp does not remove permissions for named objects upon deletion, which allows authenticated users to gain the privileges of a deleted object via creating an object with the same name. | |
| CVE-2016-3112 | Hig | 0.49 | 7.5 | 0.00 | Jun 8, 2017 | client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading /etc/pki/pulp/consumer/consumer-cert, and authenticating as a consumer user. | |
| CVE-2013-7450 | Hig | 0.49 | 7.5 | 0.00 | Apr 3, 2017 | Pulp before 2.3.0 uses the same the same certificate authority key and certificate for all installations. | |
| CVE-2016-3108 | Hig | 0.46 | 7.1 | 0.00 | Jun 8, 2017 | The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack. | |
| CVE-2016-3111 | Med | 0.36 | 5.5 | 0.00 | Jun 8, 2017 | pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running. | |
| CVE-2016-3106 | Med | 0.34 | 5.3 | 0.00 | Apr 13, 2017 | Pulp before 2.8.3 creates a temporary directory during CA key generation in an insecure manner. |