SB2024050132 - Fedora EPEL 8 update for et

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024050132

SB2024050132 - Fedora EPEL 8 update for et

Published: May 1, 2024

Security Bulletin ID SB2024050132
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Insecure temporary file (CVE-ID: CVE-2022-48257)

The vulnerability allows a local user to disable application log.

The vulnerability exists due to etserver and etclient use predictable logfile names in /tmp. A local user can create a log file before the applications and disable logging.


2) Incorrect default permissions (CVE-ID: CVE-2022-48258)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect default permissions for logfiles set by the application. A local user with access to the system can view contents of files and gain access to sensitive information.


3) HTTP response splitting (CVE-ID: CVE-2023-26130)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correclty process CRLF character sequences passed via the Content-Type HTTP header in Patch, Post, Put and Delete requests. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.


Remediation

Install update from vendor's website.

References