CVE-2015-7945
Published: 18 August 2017
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ganeti Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Not vulnerable
(2.16.0~rc2-1build1)
|
|
| cosmic |
Not vulnerable
(2.16.0-1ubuntu1)
|
|
| disco |
Not vulnerable
(2.16.0-1ubuntu1)
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Released
(2.15.2-1)
|
|
| vivid |
Ignored
(end of life)
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Not vulnerable
(2.15.2-3)
|
|
| yakkety |
Not vulnerable
(2.15.2-6build3)
|
|
| zesty |
Not vulnerable
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- http://www.ocert.org/advisories/ocert-2015-012.html
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=09fb8fc73c5fe33756cc63036d121b3d6dfa3f64
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=6e94ad76446904961744f9b0826414a5e4120693
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=6d44be24c50944fc35de7a490bc836938a82e1df
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=6f9ba80f8312d5607da70841f698c49000a31126
- https://www.cve.org/CVERecord?id=CVE-2015-7945
- NVD
- Launchpad
- Debian