SB2018081513 - Path traversal in Pulp
Published: August 15, 2018 Updated: August 8, 2020
Security Bulletin ID
SB2018081513
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Path traversal (CVE-ID: CVE-2018-10917)
The vulnerability allows a remote authenticated user to manipulate data.
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
Remediation
Install update from vendor's website.