VYPR
Vendor

Pulpy

Products
1
CVEs
12
Across products
12
Status
Private

Products

1

Recent CVEs

12
  • CVE-2026-44225CriMay 12, 2026
    risk 0.60cvss 9.3epss 0.00

    Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access,…

  • CVE-2015-5153HigAug 18, 2017
    risk 0.57cvss 8.8epss 0.01

    Pulp does not remove permissions for named objects upon deletion, which allows authenticated users to gain the privileges of a deleted object via creating an object with the same name.

  • CVE-2016-3112HigJun 8, 2017
    risk 0.49cvss 7.5epss 0.02

    client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading…

  • CVE-2015-5263HigSep 25, 2017
    risk 0.46cvss 8.1epss 0.01

    pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.

  • CVE-2016-3108HigJun 8, 2017
    risk 0.46cvss 7.1epss 0.00

    The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.

  • CVE-2013-7450HigApr 3, 2017
    risk 0.42cvss 7.5epss 0.01

    Pulp before 2.3.0 uses the same the same certificate authority key and certificate for all installations.

  • CVE-2018-1090MedJun 18, 2018
    risk 0.36cvss 5.5epss 0.01

    In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.

  • CVE-2016-3696MedJun 13, 2017
    risk 0.36cvss 5.5epss 0.00

    The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key.

  • CVE-2016-3095MedJun 8, 2017
    risk 0.36cvss 5.5epss 0.00

    server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows local users to read the generated private key.

  • CVE-2016-3111MedJun 8, 2017
    risk 0.36cvss 5.5epss 0.00

    pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated…

  • CVE-2016-3107MedJun 8, 2017
    risk 0.36cvss 5.5epss 0.00

    The Node certificate in Pulp before 2.8.3 contains the private key, and is stored in a world-readable file in the "/etc/pki/pulp/nodes/" directory, which allows local users to gain access to sensitive data.

  • CVE-2016-3106MedApr 13, 2017
    risk 0.35cvss 5.3epss 0.01

    Pulp before 2.8.3 creates a temporary directory during CA key generation in an insecure manner.