Red Hat CloudForms pulp.conf information disclosure
|cloudforms-pulpconf-info-disc (80548)||Low Risk|
Red Hat CloudForms could allow a local attacker to obtain sensitive information, caused by the installation of Pulp's configuration file (pulp.conf) in a world readable file. An attacker could exploit this vulnerability to obtain the admin password and other sensitive information.
Apply the appropriate update for your system. See References.
- Red Hat Bugzilla ¿ Bug 872487: CVE-2012-4574 pulp /etc/pulp/pulp.conf world readable, contains default admin password.
- BID-56819: Red Hat CloudForms Multiple Insecure File Permissions and Security Bypass Vulnerabilities
- CVE-2012-4574: Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions for pulp.conf, which allows local users to read the administrative password by reading this file.
- OSVDB ID: 88138: Red Hat CloudForms Pulp World-Readable pulp.conf Configuration File Local Plaintext Admin Password Disclosure
- RHSA-2012-1543: Important: CloudForms System Engine 1.1 update
- SA51472: Red Hat CloudForms Multiple Vulnerabilities
- RedHat CloudForms
- RedHat Linux Advanced Workstation 2.1 Itanium
Dec 05, 2012
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.