Vulnerability Details : CVE-2017-2665
The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system running skyring service will be able to get password in plain text.
Products affected by CVE-2017-2665
- cpe:2.3:a:redhat:storage_console:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mongodb:mongodb:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-2665
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 9 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-2665
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST | |
|
7.0
|
HIGH | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.0
|
5.9
|
NIST | |
|
4.8
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
1.3
|
3.4
|
Red Hat, Inc. |
CWE ids for CVE-2017-2665
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2017-2665
-
http://www.securityfocus.com/bid/97612
Red Hat Storage Console CVE-2017-2665 Insecure Password Storage Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2665
1437770 – (CVE-2017-2665) CVE-2017-2665 rhscon-core: creates world readable file /etc/skyring/skyring.conf which leaks mongodb password for skyring databaseIssue Tracking;Third Party Advisory
Jump to