Bug 989005 (CVE-2014-3593)
Summary: | CVE-2014-3593 luci: privilege escalation through cluster with specially crafted configuration | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Pokorný [poki] <jpokorny> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | fdinitto, jkurik, jrusnack, rmccabe, rsteiger, security-response-team, vkrizan |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was discovered that luci used eval() on inputs containing strings from the cluster configuration file when generating its web pages. An attacker with privileges to create or edit the cluster configuration could use this flaw to execute arbitrary code as the luci user on a host running luci.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-14 09:30:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1127286 | ||
Bug Blocks: | 990750, 1101912 |
Comment 7
Vincent Danen
2013-08-08 19:56:00 UTC
IssueDescription: It was discovered that luci used eval() on inputs containing strings from the cluster configuration file when generating its web pages. An attacker with privileges to create or edit the cluster configuration could use this flaw to execute arbitrary code as the luci user on a host running luci. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1390 https://rhn.redhat.com/errata/RHSA-2014-1390.html |