CVE-2014-5247

EUVD-2014-5143
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.1 UNKNOWN
LOCAL
LOW
AV:L/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
spi-incganeti
2.10.0
spi-incganeti
2.10.0:beta1
spi-incganeti
2.10.0:rc1
spi-incganeti
2.10.0:rc2
spi-incganeti
2.10.0:rc3
spi-incganeti
2.10.1
spi-incganeti
2.10.2
spi-incganeti
2.10.3
spi-incganeti
2.10.4
spi-incganeti
2.10.5
spi-incganeti
2.10.6
spi-incganeti
2.11.0
spi-incganeti
2.11.0:beta1
spi-incganeti
2.11.0:rc1
spi-incganeti
2.11.1
spi-incganeti
2.11.2
spi-incganeti
2.11.3
spi-incganeti
2.11.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ganeti
bookworm
3.0.2-3
fixed
bullseye
3.0.2-1~deb11u1
fixed
sid
3.0.2-3
fixed
squeeze
not-affected
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ganeti
artful
dne
bionic
not-affected
cosmic
not-affected
disco
not-affected
lucid
ignored
precise
ignored
trusty
dne
utopic
ignored
vivid
ignored
wily
ignored
xenial
not-affected
yakkety
not-affected
zesty
not-affected
Common Weakness Enumeration
References
http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0
http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html
http://seclists.org/oss-sec/2014/q3/370
http://www.ocert.org/advisories/ocert-2014-006.html
http://www.securityfocus.com/archive/1/533119/100/0/threaded
http://www.securityfocus.com/bid/69186
https://exchange.xforce.ibmcloud.com/vulnerabilities/95256
http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0
http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html
http://seclists.org/oss-sec/2014/q3/370
http://www.ocert.org/advisories/ocert-2014-006.html
http://www.securityfocus.com/archive/1/533119/100/0/threaded
http://www.securityfocus.com/bid/69186
https://exchange.xforce.ibmcloud.com/vulnerabilities/95256