CVE-2018-1090 MEDIUM

CVE-2018-1090

Vendor [Unknown]

Product pulp

Weakness CWE-200 · Info exposure

Published June 18, 2018

Last update August 5, 2024

View on NVD All CVEs

CVSS base score

5.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.

Key dates

02Disclosure timeline

June 18, 2018 CVE published

August 5, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2018-1090

Related vulnerabilities

04Related CVE

CVE-2017-2651 CVE-2023-1055 CVE-2024-29842 Broken Access control on DESKTOP_EDIT_USER_GET_ABACARD_FIELDS in Evolution Controller allows unauthenticated attackers to retrieve ABACARD values CVE-2024-28235 Contao possible cookie sharing with external domains while checking protected pages for broken links CVE-2023-48796 Apache dolphinscheduler sensitive information disclosure