Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved. References: https://github.com/open-iscsi/rtslib-fb/pull/162
Created python-rtslib tracking bugs for this issue: Affects: fedora-all [bug 1854724]
Patch (also fixes a related issue with file open modes): https://github.com/open-iscsi/rtslib-fb/commit/1d19b0f2aa45b8f61f75d6a05524389ea547784c
Statement: Red Hat Ceph Storage 2 and 3 are not affected because within the affected method, shutil.copyfile is not used. However, the affected method, save_to_file is outdated and contains a race condition. Hence, this issue has been rated as having a security impact of low.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5435 https://access.redhat.com/errata/RHSA-2020:5435
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14019