CVE-2015-7945
Published: 18 August 2017
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.
Priority
Status
Package | Release | Status |
---|---|---|
ganeti Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Not vulnerable
(2.16.0~rc2-1build1)
|
|
cosmic |
Not vulnerable
(2.16.0-1ubuntu1)
|
|
disco |
Not vulnerable
(2.16.0-1ubuntu1)
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(2.15.2-1)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Not vulnerable
(2.15.2-3)
|
|
yakkety |
Not vulnerable
(2.15.2-6build3)
|
|
zesty |
Not vulnerable
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- http://www.ocert.org/advisories/ocert-2015-012.html
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=09fb8fc73c5fe33756cc63036d121b3d6dfa3f64
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=6e94ad76446904961744f9b0826414a5e4120693
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=6d44be24c50944fc35de7a490bc836938a82e1df
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=6f9ba80f8312d5607da70841f698c49000a31126
- https://www.cve.org/CVERecord?id=CVE-2015-7945
- NVD
- Launchpad
- Debian