CVE-2017-15104

An access flaw was found in Heketi 5, where the heketi.json configuration file was world readable. An attacker having local access to the Heketi server could read plain-text passwords from the heketi.json file.

CVSS v3 7.8 HIGH
CVSS v2.0 2.1 LOW

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://access.redhat.com/errata/RHSA-2017:3481	Third Party Advisory
https://access.redhat.com/security/cve/CVE-2017-15104	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1510149	Issue Tracking Third Party Advisory
https://github.com/heketi/heketi/releases/tag/v5.0.1	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:heketi_project:heketi:5.0.0:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-12-18 19:29

Updated : 2024-02-04 19:29

NVD link : CVE-2017-15104

Mitre link : CVE-2017-15104

CVE.ORG link : CVE-2017-15104

JSON object : View

Products Affected

redhat

enterprise_linux

heketi_project

heketi

CWE

CWE-552

Files or Directories Accessible to External Parties

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2017-15104", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2017-12-18T19:29:00.247", "references": [{"url": "https://access.redhat.com/errata/RHSA-2017:3481", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2017-15104", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1510149", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/heketi/heketi/releases/tag/v5.0.1", "tags": ["Release Notes"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-552"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "An access flaw was found in Heketi 5, where the heketi.json configuration file was world readable. An attacker having local access to the Heketi server could read plain-text passwords from the heketi.json file."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de acceso en Heketi 5, donde el archivo de configuraci\u00f3n heketi.json puede ser le\u00eddo por cualquier usuario. Un atacante que tenga acceso local al servidor Heketi podr\u00eda leer contrase\u00f1as en texto plano del archivo heketi.json."}], "lastModified": "2023-02-12T23:28:30.740", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:heketi_project:heketi:5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "295217EA-588B-49B5-AA83-E0FCC641CBFF"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}