Published: 18/08/2017 Updated: 08/09/2021

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 505

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti prior to 2.9.7, 2.10.x prior to 2.10.8, 2.11.x prior to 2.11.8, 2.12.x prior to 2.12.6, 2.13.x prior to 2.13.3, 2.14.x prior to 2.14.2, and 2.15.x prior to 2.15.2 allows remote malicious users to obtain the DRBD secret via instance information job results.

Vulnerable Product	Search on Vulmon	Subscribe to Product
spi-inc ganeti 2.15.0
spi-inc ganeti 2.13.1
spi-inc ganeti 2.13.2
spi-inc ganeti 2.12.4
spi-inc ganeti 2.12.5
spi-inc ganeti 2.10.0
spi-inc ganeti 2.10.7
spi-inc ganeti 2.11.0
spi-inc ganeti 2.11.5
spi-inc ganeti 2.11.6
spi-inc ganeti 2.14.1
spi-inc ganeti 2.14.0
spi-inc ganeti 2.13.0
spi-inc ganeti 2.12.1
spi-inc ganeti 2.12.0
spi-inc ganeti 2.10.2
spi-inc ganeti 2.10.3
spi-inc ganeti 2.10.4
spi-inc ganeti 2.11.1
spi-inc ganeti 2.11.2
spi-inc ganeti 2.12.2
spi-inc ganeti 2.12.3
spi-inc ganeti 2.10.5
spi-inc ganeti 2.10.6
spi-inc ganeti 2.11.3
spi-inc ganeti 2.11.4
spi-inc ganeti 2.15.1
spi-inc ganeti 2.10.1
spi-inc ganeti 2.11.7
spi-inc ganeti

Debian Bug report logs - #809538 ganeti: CVE-2015-7945: DRBD secret leak Package: src:ganeti; Maintainer for src:ganeti is Debian Ganeti Team <ganeti@packagesdebianorg>; Reported by: Antoine Beaupré <anarcat@debianorg> Date: Thu, 31 Dec 2015 21:15:02 UTC Severity: important Tags: fixed-upstream, security, upstrea ...

Pierre Kim discovered two vulnerabilities in the restful API of Ganeti, a virtual server cluster management tool SSL parameter negotiation could result in denial of service and the DRBD secret could leak For the oldstable distribution (wheezy), these problems have been fixed in version 252-1+deb7u1 For the stable distribution (jessie), these p ...

=begin ## Advisory Information Title: Ganeti Security Advisory (DoS, Unauthenticated Info Leak) Advisory URL: pierrekimgithubio/advisories/2016-ganeti-0x00txt Blog URL: pierrekimgithubio/blog/2016-01-05-Ganeti-Info-Leak-DoShtml Date published: 2016-01-05 Vendors contacted: Google, MITRE Organization contacted: Riseup Release ...

Ganeti suffers from unauthenticated information disclosure and denial of service vulnerabilities ...

CWE-200 http://www.ocert.org/advisories/ocert-2015-012.html http://packetstormsecurity.com/files/135101/Ganeti-Leaked-Secret-Denial-Of-Service.html http://docs.ganeti.org/ganeti/2.9/html/news.html#version-2-9-7 http://docs.ganeti.org/ganeti/2.15/html/news.html#version-2-15-2 http://docs.ganeti.org/ganeti/2.14/html/news.html#version-2-14-2 http://docs.ganeti.org/ganeti/2.13/html/news.html#version-2-13-3 http://docs.ganeti.org/ganeti/2.12/html/news.html#version-2-12.6 http://docs.ganeti.org/ganeti/2.11/html/news.html#version-2-11-8 http://docs.ganeti.org/ganeti/2.10/html/news.html#version-2-10-8 https://www.exploit-db.com/exploits/39169/http://www.debian.org/security/2016/dsa-3431 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809538 https://nvd.nist.gov https://www.exploit-db.com/exploits/39169/https://www.debian.org/security/./dsa-3431

CVE-2015-7945

Vulnerability Summary

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect