Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE5dnctd3I1Ny14anYz
Information Exposure in Heketi
An access flaw was found in Heketi 5, where the heketi.json configuration file was world readable. An attacker having local access to the Heketi server could read plain-text passwords from the heketi.json file.
Permalink: https://github.com/advisories/GHSA-q9vw-wr57-xjv3JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE5dnctd3I1Ny14anYz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-q9vw-wr57-xjv3, CVE-2017-15104
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15104
- https://github.com/heketi/heketi/commit/787bae461b23003a4daa4d1d639016a754cf6b00
- https://access.redhat.com/errata/RHSA-2017:3481
- https://access.redhat.com/security/cve/CVE-2017-15104
- https://bugzilla.redhat.com/show_bug.cgi?id=1510149
- https://github.com/heketi/heketi/releases/tag/v5.0.1
- https://github.com/advisories/GHSA-q9vw-wr57-xjv3
Blast Radius: 27.3
Affected Packages
go:github.com/heketi/heketi
Dependent packages: 252Dependent repositories: 3,197
Downloads:
Affected Version Ranges: < 5.0.1
Fixed in: 5.0.1
All affected versions: 2.0.6, 3.0.0, 3.1.0, 4.0.0, 5.0.0
All unaffected versions: 5.0.1, 6.0.0, 7.0.0, 8.0.0, 9.0.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0