Vulnerability Details : CVE-2014-5247
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
Products affected by CVE-2014-5247
- cpe:2.3:a:spi-inc:ganeti:2.10.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.11.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:spi-inc:ganeti:2.11.0:rc1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-5247
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 13 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-5247
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2014-5247
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5247
-
http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html
Ganeti Insecure Archive Permission ≈ Packet StormExploit
-
http://seclists.org/oss-sec/2014/q3/370
oss-sec: Re: [oCERT-2014-006] Ganeti insecure archive permission
-
http://git.ganeti.org/?p=ganeti.git;a=commit;h=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0
git.ganeti.org Git - ganeti.git/commitPatch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95256
Ganeti gnt_cluster.py information disclosure CVE-2014-5247 Vulnerability Report
-
http://www.securityfocus.com/bid/69186
Ganeti 'gnt_cluster.py' Insecure File Permissions Vulnerability
-
http://www.ocert.org/advisories/ocert-2014-006.html
oCERT archiveUS Government Resource
-
http://www.securityfocus.com/archive/1/533119/100/0/threaded
SecurityFocus
Jump to