CVE-2014-5247

{"id": "CVE-2014-5247", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-08-29T16:55:12.030", "references": [{"url": "http://git.ganeti.org/?p=ganeti.git%3Ba=commit%3Bh=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0", "source": "cve@mitre.org"}, {"url": "http://packetstormsecurity.com/files/127851/Ganeti-Insecure-Archive-Permission.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/oss-sec/2014/q3/370", "source": "cve@mitre.org"}, {"url": "http://www.ocert.org/advisories/ocert-2014-006.html", "tags": ["US Government Resource"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/533119/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/69186", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95256", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command."}, {"lang": "es", "value": "La funci\u00f3n _UpgradeBeforeConfigurationChange en lib/client/gnt_cluster.py en Ganeti 2.10.0 anterior a 2.10.7 y 2.11.0 anterior a 2.11.5 utiliza permisos de lectura universal para el fichero de la copia de seguridad de la configuraci\u00f3n, lo que permite a usuarios locales obtener las claves SSL, las credenciales remotas de la API y otra informaci\u00f3n sensible mediante la lectura del fichero, relacionado con el comando upgrade."}], "lastModified": "2023-11-07T02:20:47.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F66B137A-661B-4A33-B42D-36086C5CE25F"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD3870AD-723B-4EE6-B86F-759126E06F21"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A8CBB01-AA66-4262-A3DF-26DED8E1B243"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F6F8F9E-2942-45A9-A3DF-7A2B3392110C"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4946A0E-7FAF-49D1-85B7-5CE8A31B9F3D"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C0A6331-D11E-4062-8883-3B0A8661CE20"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74F1C8B8-9A50-45E5-8CCA-425199DEB994"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1136452D-0A89-4E27-B6FA-F08236885FFF"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22D6DAB2-3455-4532-8FC9-FB04DD71B9B6"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F038EE62-9261-4D28-BC3C-8692FCA87115"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.10.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35ECC2AA-C63F-4794-A62D-B78ED6F82DD5"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "773D755E-7E1E-460E-A753-9AB5AA67759E"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.11.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B85FCE9-38B9-437D-AA42-A5C258A1D785"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.11.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4806E38C-C58B-4C41-A2BB-D6ABB2A392C1"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.11.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB162407-8069-43A6-8F93-492E6EBF17C2"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.11.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "997067C6-82FC-4917-A16C-3E8D7F1DFC77"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.11.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15071497-2E59-4EA1-ACDC-5D6AC2703226"}, {"criteria": "cpe:2.3:a:spi-inc:ganeti:2.11.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9FA19307-8A03-4161-9A15-BA8C7FD83F3B"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}