CVE-2009-4261

Name of the Vulnerable Software and Affected Versions Ganeti versions 1.2.4 through 1.2.8 Ganeti versions 2.0.0 through 2.0.4 Ganeti versions 2.1.0 before 2.1.0~rc2

Description The issue is related to "path sanitization errors" in the iallocator framework, allowing for directory traversal vulnerabilities. This enables remote attackers to execute arbitrary programs via a crafted external script name supplied through the HTTP remote API (RAPI). Additionally, local users can execute arbitrary programs and gain privileges via a crafted external script name supplied through a gnt-* command.

Recommendations For Ganeti versions 1.2.4 through 1.2.8, update to a version outside of this range to mitigate the risk. For Ganeti versions 2.0.0 through 2.0.4, update to a version outside of this range to mitigate the risk. For Ganeti versions 2.1.0 before 2.1.0rc2, update to version 2.1.0rc2 or later to resolve the issue.