Jeremy Cline

Researcher fromRed Hat
#10748of 53,633
25.6Total CVSS
Vulnerabilities · 4
Medium
2
High
2
PT-2017-8337
5.5
2017-06-08
Pulp · Pulp · CVE-2016-3107
**Name of the Vulnerable Software and Affected Versions** Pulp versions prior to 2.8.3 **Description** The issue concerns a world-readable file containing the private key for the Node certificate, stored in the "/etc/pki/pulp/nodes/" directory. This allows local users to access sensitive data, potentially gaining access to the private key information. **Recommendations** For versions prior to 2.8.3, update to version 2.8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/etc/pki/pulp/nodes/" directory to minimize the risk of exploitation.
PT-2017-8338
7.1
2017-06-08
Pulp · Pulp · CVE-2016-3108
**Name of the Vulnerable Software and Affected Versions** Pulp versions prior to 2.8.3 **Description** The issue allows local users to leak keys or write to arbitrary files via a symlink attack, specifically targeting the pulp-gen-nodes-certificate script in Pulp. **Recommendations** For versions prior to 2.8.3, update to version 2.8.3 or later to resolve the issue.
PT-2017-8340
5.5
2017-06-08
Pulp · Pulp · CVE-2016-3111
**Name of the Vulnerable Software and Affected Versions** Pulp version 2.8.3 **Description** The issue arises during the installation process of Pulp, where the `pulp.spec` generates RSA key pairs in a world-readable directory before modifying the permissions. This might allow local users to read the generated RSA keys by accessing the key files while the installation is in progress. **Recommendations** For Pulp version 2.8.3, consider restricting access to the directory where the RSA key pairs are generated during the installation process to prevent local users from reading the keys. As a temporary workaround, monitor the installation process closely to minimize the time the key files are exposed.
PT-2017-8341
7.5
2017-06-08
Pulp · Pulp · CVE-2016-3112
**Name of the Vulnerable Software and Affected Versions** Pulp versions prior to 2.8.3 **Description** The issue allows remote authenticated users to obtain consumer private keys and escalate privileges. This is due to the world-readable writing of consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 2.8.3, update to version 2.8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the /etc/pki/pulp/consumer/consumer-cert.pem file to prevent unauthorized users from reading the consumer private keys.