Bug 1593764 (CVE-2018-10867) - CVE-2018-10867 redhat-certification: /uploads/results page allows to remove files
Summary: CVE-2018-10867 redhat-certification: /uploads/results page allows to remove f...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10867
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1608788
Blocks: 1593614
TreeView+ depends on / blocked
 
Reported: 2018-06-21 14:32 UTC by Riccardo Schirone
Modified: 2021-10-25 09:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It has been discovered that redhat-certification does not restrict file access in the /update/results page. A remote attacker could use this vulnerability to remove any file accessible by the user which is running httpd.
Clone Of:
Environment:
Last Closed: 2021-10-25 09:45:31 UTC
Embargoed:

Attachments (Terms of Use)

Description Riccardo Schirone 2018-06-21 14:32:02 UTC 
Files are accessible without restrictions from the /update/results page of redhat-certification package, allowing an attacker to remove any file accessible by the apached user.
Comment 1 Riccardo Schirone 2018-06-21 14:32:11 UTC 
Acknowledgments:

Name: Riccardo Schirone (Red Hat Product Security)
Comment 2 Riccardo Schirone 2018-06-21 14:32:16 UTC 
Mitigation:

If SELinux is enabled, it will restrict the number of files accessible by the httpd process.
Comment 4 Riccardo Schirone 2018-06-25 13:15:06 UTC 
The uploadResults view does not properly check the resultsPath, allowing any user to download existing files.
Note You need to log in before you can comment on or make changes to this bug.