CVE-2018-10917

Impact:
Moderate
Public Date:
2018-08-14
CWE:
CWE-22
Bugzilla:
1598928: CVE-2018-10917 pulp: Improper path parsing leads to overwrite of iso repositories

The MITRE CVE dictionary describes this issue as:

pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.

Find out more about CVE-2018-10917 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat Enterprise Virtualization Hypervisor includes only selected components of pulp, which are not affected by this flaw.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 6.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Impact High
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Virtualization 4 pulp Not affected
Red Hat Satellite 6 pulp Affected

Acknowledgements

Red Hat would like to thank Simon Baatz (Telekom Deutschland GmbH) for reporting this issue.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.