Vulnerability-Lookup

CVE-2013-4481 (GCVE-0-2013-4481)

Vulnerability from cvelistv5 – Published: 2013-11-23 11:00 – Updated: 2024-08-06 16:45

Summary

Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as "authentication secrets."

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

FKIE_CVE-2013-4481

Vulnerability from fkie_nvd - Published: 2013-11-23 11:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1603.html	Vendor Advisory
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=988998
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1603.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=988998

Impacted products

	Vendor	Product	Version
	scientificlinux	luci	0.26.0
	redhat	enterprise_linux	6.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:scientificlinux:luci:0.26.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2283AAF-A541-4E4D-8517-D94FAFF3E8EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as \"authentication secrets.\""
    },
    {
      "lang": "es",
      "value": "Condici\u00f3n de carrera en Luci 0.26.0 crea /var/lib/luci/etc/luci.ini con permisos de escritura antes de restringir los permisos, lo que permite a usuarios locales leer archivos y obtener informaci\u00f3n sensible, tal como los \"secretos de autenticaci\u00f3n\"."
    }
  ],
  "id": "CVE-2013-4481",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 1.9,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-11-23T11:55:04.680",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1603.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=988998"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1603.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=988998"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

RHSA-2013:1603

Vulnerability from csaf_redhat - Published: 2013-11-20 19:34 - Updated: 2025-11-21 17:46

Summary

Red Hat Security Advisory: luci security, bug fix, and enhancement update

Notes

Topic

Updated luci packages that fix two security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details

Luci is a web-based high availability administration application. A flaw was found in the way the luci service was initialized. If a system administrator started the luci service from a directory that was writable to by a local user, that user could use this flaw to execute arbitrary code as the root or luci user. (CVE-2013-4482) A flaw was found in the way luci generated its configuration file. The file was created as world readable for a short period of time, allowing a local user to gain access to the authentication secrets stored in the configuration file. (CVE-2013-4481) These issues were discovered by Jan Pokorný of Red Hat. These updated luci packages include numerous bug fixes and two enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical Notes, linked to in the References, for information on the most significant of these changes. All luci users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing this update, the luci service will be restarted automatically.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated luci packages that fix two security issues, several bugs, and add\ntwo enhancements are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Luci is a web-based high availability administration application.\n\nA flaw was found in the way the luci service was initialized. If a system\nadministrator started the luci service from a directory that was writable\nto by a local user, that user could use this flaw to execute arbitrary code\nas the root or luci user. (CVE-2013-4482)\n\nA flaw was found in the way luci generated its configuration file. The file\nwas created as world readable for a short period of time, allowing a local\nuser to gain access to the authentication secrets stored in the\nconfiguration file. (CVE-2013-4481)\n\nThese issues were discovered by Jan Pokorn\u00fd of Red Hat.\n\nThese updated luci packages include numerous bug fixes and two\nenhancements. Space precludes documenting all of these changes in this\nadvisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical\nNotes, linked to in the References, for information on the most significant\nof these changes.\n\nAll luci users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues and add these\nenhancements. After installing this update, the luci service will be\nrestarted automatically.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:1603",
        "url": "https://access.redhat.com/errata/RHSA-2013:1603"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.5_Technical_Notes/luci.html#RHSA-2013-1603",
        "url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.5_Technical_Notes/luci.html#RHSA-2013-1603"
      },
      {
        "category": "external",
        "summary": "878149",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=878149"
      },
      {
        "category": "external",
        "summary": "880363",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=880363"
      },
      {
        "category": "external",
        "summary": "883008",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=883008"
      },
      {
        "category": "external",
        "summary": "886517",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=886517"
      },
      {
        "category": "external",
        "summary": "886576",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=886576"
      },
      {
        "category": "external",
        "summary": "917747",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=917747"
      },
      {
        "category": "external",
        "summary": "988998",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=988998"
      },
      {
        "category": "external",
        "summary": "990321",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=990321"
      },
      {
        "category": "external",
        "summary": "1001835",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1001835"
      },
      {
        "category": "external",
        "summary": "1001836",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1001836"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1603.json"
      }
    ],
    "title": "Red Hat Security Advisory: luci security, bug fix, and enhancement update",
    "tracking": {
      "current_release_date": "2025-11-21T17:46:01+00:00",
      "generator": {
        "date": "2025-11-21T17:46:01+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2013:1603",
      "initial_release_date": "2013-11-20T19:34:00+00:00",
      "revision_history": [
        {
          "date": "2013-11-20T19:34:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-11-20T19:39:24+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:46:01+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux High Availability (v. 6)",
                "product": {
                  "name": "Red Hat Enterprise Linux High Availability (v. 6)",
                  "product_id": "6Server-HighAvailability",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Resilient Storage (v. 6)",
                "product": {
                  "name": "Red Hat Enterprise Linux Resilient Storage (v. 6)",
                  "product_id": "6Server-ResilientStorage",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6::server"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "luci-debuginfo-0:0.26.0-48.el6.x86_64",
                "product": {
                  "name": "luci-debuginfo-0:0.26.0-48.el6.x86_64",
                  "product_id": "luci-debuginfo-0:0.26.0-48.el6.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/luci-debuginfo@0.26.0-48.el6?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "luci-0:0.26.0-48.el6.x86_64",
                "product": {
                  "name": "luci-0:0.26.0-48.el6.x86_64",
                  "product_id": "luci-0:0.26.0-48.el6.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/luci@0.26.0-48.el6?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "luci-debuginfo-0:0.26.0-48.el6.i686",
                "product": {
                  "name": "luci-debuginfo-0:0.26.0-48.el6.i686",
                  "product_id": "luci-debuginfo-0:0.26.0-48.el6.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/luci-debuginfo@0.26.0-48.el6?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "luci-0:0.26.0-48.el6.i686",
                "product": {
                  "name": "luci-0:0.26.0-48.el6.i686",
                  "product_id": "luci-0:0.26.0-48.el6.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/luci@0.26.0-48.el6?arch=i686"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i686"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "luci-0:0.26.0-48.el6.src",
                "product": {
                  "name": "luci-0:0.26.0-48.el6.src",
                  "product_id": "luci-0:0.26.0-48.el6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/luci@0.26.0-48.el6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-0:0.26.0-48.el6.i686 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability:luci-0:0.26.0-48.el6.i686"
        },
        "product_reference": "luci-0:0.26.0-48.el6.i686",
        "relates_to_product_reference": "6Server-HighAvailability"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-0:0.26.0-48.el6.src as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability:luci-0:0.26.0-48.el6.src"
        },
        "product_reference": "luci-0:0.26.0-48.el6.src",
        "relates_to_product_reference": "6Server-HighAvailability"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-0:0.26.0-48.el6.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability:luci-0:0.26.0-48.el6.x86_64"
        },
        "product_reference": "luci-0:0.26.0-48.el6.x86_64",
        "relates_to_product_reference": "6Server-HighAvailability"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-debuginfo-0:0.26.0-48.el6.i686 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.i686"
        },
        "product_reference": "luci-debuginfo-0:0.26.0-48.el6.i686",
        "relates_to_product_reference": "6Server-HighAvailability"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-debuginfo-0:0.26.0-48.el6.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.x86_64"
        },
        "product_reference": "luci-debuginfo-0:0.26.0-48.el6.x86_64",
        "relates_to_product_reference": "6Server-HighAvailability"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-0:0.26.0-48.el6.i686 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage:luci-0:0.26.0-48.el6.i686"
        },
        "product_reference": "luci-0:0.26.0-48.el6.i686",
        "relates_to_product_reference": "6Server-ResilientStorage"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-0:0.26.0-48.el6.src as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage:luci-0:0.26.0-48.el6.src"
        },
        "product_reference": "luci-0:0.26.0-48.el6.src",
        "relates_to_product_reference": "6Server-ResilientStorage"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-0:0.26.0-48.el6.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage:luci-0:0.26.0-48.el6.x86_64"
        },
        "product_reference": "luci-0:0.26.0-48.el6.x86_64",
        "relates_to_product_reference": "6Server-ResilientStorage"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-debuginfo-0:0.26.0-48.el6.i686 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.i686"
        },
        "product_reference": "luci-debuginfo-0:0.26.0-48.el6.i686",
        "relates_to_product_reference": "6Server-ResilientStorage"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "luci-debuginfo-0:0.26.0-48.el6.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.x86_64"
        },
        "product_reference": "luci-debuginfo-0:0.26.0-48.el6.x86_64",
        "relates_to_product_reference": "6Server-ResilientStorage"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Jan Pokorn\u00fd"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-4481",
      "discovery_date": "2013-07-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "988998"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the way luci generated its configuration file. The file was created as world readable for a short period of time, allowing a local user to gain access to the authentication secrets stored in the configuration file.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "luci: short exposure of authentication secrets while generating configuration file",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-HighAvailability:luci-0:0.26.0-48.el6.i686",
          "6Server-HighAvailability:luci-0:0.26.0-48.el6.src",
          "6Server-HighAvailability:luci-0:0.26.0-48.el6.x86_64",
          "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.i686",
          "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.x86_64",
          "6Server-ResilientStorage:luci-0:0.26.0-48.el6.i686",
          "6Server-ResilientStorage:luci-0:0.26.0-48.el6.src",
          "6Server-ResilientStorage:luci-0:0.26.0-48.el6.x86_64",
          "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.i686",
          "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-4481"
        },
        {
          "category": "external",
          "summary": "RHBZ#988998",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=988998"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-4481",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-4481"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4481",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4481"
        }
      ],
      "release_date": "2013-11-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-11-20T19:34:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.i686",
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.src",
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.x86_64",
            "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.i686",
            "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.x86_64",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.i686",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.src",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.x86_64",
            "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.i686",
            "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:1603"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 1.9,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.i686",
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.src",
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.x86_64",
            "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.i686",
            "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.x86_64",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.i686",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.src",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.x86_64",
            "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.i686",
            "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "luci: short exposure of authentication secrets while generating configuration file"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jan Pokorn\u00fd"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-4482",
      "discovery_date": "2013-07-30T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "990321"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the way the luci service was initialized. If a system administrator started the luci service from a directory that was writable to by a local user, that user could use this flaw to execute arbitrary code as the root or luci user.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "luci: paster hidden untrusted path and \"command\" (callable association) injection",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-HighAvailability:luci-0:0.26.0-48.el6.i686",
          "6Server-HighAvailability:luci-0:0.26.0-48.el6.src",
          "6Server-HighAvailability:luci-0:0.26.0-48.el6.x86_64",
          "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.i686",
          "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.x86_64",
          "6Server-ResilientStorage:luci-0:0.26.0-48.el6.i686",
          "6Server-ResilientStorage:luci-0:0.26.0-48.el6.src",
          "6Server-ResilientStorage:luci-0:0.26.0-48.el6.x86_64",
          "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.i686",
          "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-4482"
        },
        {
          "category": "external",
          "summary": "RHBZ#990321",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=990321"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-4482",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-4482"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4482",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4482"
        }
      ],
      "release_date": "2013-11-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-11-20T19:34:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.i686",
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.src",
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.x86_64",
            "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.i686",
            "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.x86_64",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.i686",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.src",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.x86_64",
            "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.i686",
            "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:1603"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 3.7,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.i686",
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.src",
            "6Server-HighAvailability:luci-0:0.26.0-48.el6.x86_64",
            "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.i686",
            "6Server-HighAvailability:luci-debuginfo-0:0.26.0-48.el6.x86_64",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.i686",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.src",
            "6Server-ResilientStorage:luci-0:0.26.0-48.el6.x86_64",
            "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.i686",
            "6Server-ResilientStorage:luci-debuginfo-0:0.26.0-48.el6.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "luci: paster hidden untrusted path and \"command\" (callable association) injection"
    }
  ]
}

GHSA-FFHG-M72P-75J9

Vulnerability from github – Published: 2022-05-14 01:08 – Updated: 2022-05-14 01:08

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2013-4481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-11-23T11:55:00Z",
    "severity": "LOW"
  },
  "details": "Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as \"authentication secrets.\"",
  "id": "GHSA-ffhg-m72p-75j9",
  "modified": "2022-05-14T01:08:28Z",
  "published": "2022-05-14T01:08:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4481"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=988998"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1603.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2013-4481

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2013-4481

Aliases

CVE-2013-4481

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-4481",
    "description": "Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as \"authentication secrets.\"",
    "id": "GSD-2013-4481",
    "references": [
      "https://access.redhat.com/errata/RHSA-2013:1603"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-4481"
      ],
      "details": "Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as \"authentication secrets.\"",
      "id": "GSD-2013-4481",
      "modified": "2023-12-13T01:22:16.409803Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2013-4481",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as \"authentication secrets.\""
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1603.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1603.html"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=988998",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=988998"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:scientificlinux:luci:0.26.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-4481"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as \"authentication secrets.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-362"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2013:1603",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1603.html"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=988998",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=988998"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 1.9,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.4,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2019-04-22T17:48Z",
      "publishedDate": "2013-11-23T11:55Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2013-4481 (GCVE-0-2013-4481)

FKIE_CVE-2013-4481

RHSA-2013:1603

GHSA-FFHG-M72P-75J9

GSD-2013-4481

Tags

Sightings

Nomenclature