Pulp up to 2.2.x Certificate Default certificate validation

A vulnerability was found in Pulp up to 2.2.x. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Certificate. The manipulation leads to improper certificate validation (Default). The CWE definition for the vulnerability is CWE-295. The bug was discovered 04/18/2016. The weakness was shared 04/03/2017 (oss-sec). It is possible to read the advisory at openwall.com. This vulnerability is known as CVE-2013-7450. The attack can be launched remotely. There are no technical details available. There is no exploit available. The pricing for an exploit might be around USD $0-$5k at the moment. The attack technique deployed by this issue is T1587.003 according to MITRE ATT&CK. It is declared as not defined. The vulnerability was handled as a non-public zero-day exploit for at least 350 days. We expect the 0-day to have been worth approximately $0-$5k. Upgrading to version 2.3.0 is able to address this issue. The bugfix is ready for download at github.com. It is recommended to upgrade the affected component. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

Field04/04/2017 08:49 AM08/25/2020 02:58 PM11/24/2022 06:59 PM
namePulpPulpPulp
version<=2.2.x<=2.2.x<=2.2.x
componentCertificateCertificateCertificate
cwe295 (certificate validation)295 (certificate validation)295 (certificate validation)
risk222
historic000
cvss2_vuldb_basescore6.86.86.8
cvss2_vuldb_tempscore5.95.95.9
cvss2_vuldb_avNNN
cvss2_vuldb_acMMM
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_nvd_avNNN
cvss2_nvd_acLLL
cvss2_nvd_auNNN
cvss2_nvd_ciNNN
cvss2_nvd_iiPPP
cvss2_nvd_aiNNN
cvss3_meta_basescore7.47.47.4
cvss3_meta_tempscore7.17.17.2
cvss3_vuldb_basescore7.37.37.3
cvss3_vuldb_tempscore7.07.07.0
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_nvd_avNNN
cvss3_nvd_acLLL
cvss3_nvd_prNNN
cvss3_nvd_uiNNN
cvss3_nvd_sUUU
cvss3_nvd_cNNN
cvss3_nvd_iHHH
cvss3_nvd_aNNN
titlewordDefaultDefaultDefault
date1491177600 (04/03/2017)1491177600 (04/03/2017)1491177600 (04/03/2017)
locationoss-secoss-secoss-sec
urlhttp://www.openwall.com/lists/oss-security/2016/04/18/11http://www.openwall.com/lists/oss-security/2016/04/18/11http://www.openwall.com/lists/oss-security/2016/04/18/11
confirm_urlhttps://bugzilla.redhat.com/show_bug.cgi?id=1003326https://bugzilla.redhat.com/show_bug.cgi?id=1003326https://bugzilla.redhat.com/show_bug.cgi?id=1003326
price_0day$0-$5k$0-$5k$0-$5k
nameUpgradeUpgradeUpgrade
upgrade_version2.3.02.3.02.3.0
cveCVE-2013-7450CVE-2013-7450CVE-2013-7450
cve_assigned1460937600 (04/18/2016)1460937600 (04/18/2016)1460937600 (04/18/2016)
cve_nvd_published149117760014911776001491177600
cve_nvd_summaryPulp before 2.3.0 uses the same the same certificate authority key and certificate for all installations.Pulp before 2.3.0 uses the same the same certificate authority key and certificate for all installations.Pulp before 2.3.0 uses the same the same certificate authority key and certificate for all installations.
seealso998199981999819
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlOOO
cvss3_vuldb_rcXXX
0day_days350350350
cvss3_nvd_basescore7.57.57.5
discoverydate14609376001460937600
osvdb_titleCVE-2013-7450 - Pulp - Duplicate Certificate IssueCVE-2013-7450 - Pulp - Duplicate Certificate Issue
patch_urlhttps://github.com/pulp/pulp/pull/627
cvss2_nvd_basescore5.0

Do you know our Splunk app?

Download it now for free!