CVE-2014-5247

The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.1 UNKNOWN
LOCAL
LOW
AV:L/AC:L/Au:N/C:P/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
VendorProductVersion
spi-incganeti
2.10.0
spi-incganeti
2.10.0:beta1
spi-incganeti
2.10.0:rc1
spi-incganeti
2.10.0:rc2
spi-incganeti
2.10.0:rc3
spi-incganeti
2.10.1
spi-incganeti
2.10.2
spi-incganeti
2.10.3
spi-incganeti
2.10.4
spi-incganeti
2.10.5
spi-incganeti
2.10.6
spi-incganeti
2.11.0
spi-incganeti
2.11.0:beta1
spi-incganeti
2.11.0:rc1
spi-incganeti
2.11.1
spi-incganeti
2.11.2
spi-incganeti
2.11.3
spi-incganeti
2.11.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ganeti
bullseye
3.0.2-1~deb11u1
fixed
wheezy
not-affected
squeeze
not-affected
sid
3.0.2-3
fixed
bookworm
3.0.2-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ganeti
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
dne
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
ignored
vivid
ignored
utopic
ignored
trusty
dne
precise
ignored
lucid
ignored
Common Weakness Enumeration
References
http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0
http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html
http://seclists.org/oss-sec/2014/q3/370
http://www.ocert.org/advisories/ocert-2014-006.html
http://www.securityfocus.com/archive/1/533119/100/0/threaded
http://www.securityfocus.com/bid/69186
https://exchange.xforce.ibmcloud.com/vulnerabilities/95256
http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0
http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html
http://seclists.org/oss-sec/2014/q3/370
http://www.ocert.org/advisories/ocert-2014-006.html
http://www.securityfocus.com/archive/1/533119/100/0/threaded
http://www.securityfocus.com/bid/69186
https://exchange.xforce.ibmcloud.com/vulnerabilities/95256