CVE-2016-3704 - Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords.

CVE-2016-3704

Summary

Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords.

References

Vulnerable Configurations

cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.2.1-1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.2.1-1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.3:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.3:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.4:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.4:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.5:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.6.5:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.2:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.2:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.2-1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.2-1:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.3:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.3:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.4:*:*:*:*:*:*:*
cpe:2.3:a:pulpproject:pulp:2.8.4:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 12-02-2023 - 23:18)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:P/A:N

redhat via4

advisories

rhsa

id	RHSA-2018:0336

rpms

candlepin-0:2.1.14-1.el7
candlepin-selinux-0:2.1.14-1.el7
foreman-0:1.15.6.34-1.el7sat
foreman-bootloaders-redhat-0:201801241201-2.el7sat
foreman-bootloaders-redhat-tftpboot-0:201801241201-2.el7sat
foreman-cli-0:1.15.6.34-1.el7sat
foreman-compute-0:1.15.6.34-1.el7sat
foreman-debug-0:1.15.6.34-1.el7sat
foreman-discovery-image-1:3.4.4-1.el7sat
foreman-ec2-0:1.15.6.34-1.el7sat
foreman-gce-0:1.15.6.34-1.el7sat
foreman-installer-1:1.15.6.8-1.el7sat
foreman-installer-katello-0:3.4.5.26-1.el7sat
foreman-libvirt-0:1.15.6.34-1.el7sat
foreman-openstack-0:1.15.6.34-1.el7sat
foreman-ovirt-0:1.15.6.34-1.el7sat
foreman-postgresql-0:1.15.6.34-1.el7sat
foreman-proxy-0:1.15.6.4-1.el7sat
foreman-proxy-content-0:3.4.5-15.el7sat
foreman-rackspace-0:1.15.6.34-1.el7sat
foreman-selinux-0:1.15.6.2-1.el7sat
foreman-vmware-0:1.15.6.34-1.el7sat
hiera-0:1.3.1-2.el7sat
katello-0:3.4.5-15.el7sat
katello-certs-tools-0:2.4.0-1.el7sat
katello-client-bootstrap-0:1.5.1-1.el7sat
katello-common-0:3.4.5-15.el7sat
katello-debug-0:3.4.5-15.el7sat
katello-installer-base-0:3.4.5.26-1.el7sat
katello-selinux-0:3.0.2-1.el7sat
katello-service-0:3.4.5-15.el7sat
kobo-0:0.5.1-1.el7sat
pulp-admin-client-0:2.13.4.6-1.el7sat
pulp-docker-admin-extensions-0:2.4.1-2.el7sat
pulp-docker-plugins-0:2.4.1-2.el7sat
pulp-katello-0:1.0.2-1.el7sat
pulp-nodes-child-0:2.13.4.6-1.el7sat
pulp-nodes-common-0:2.13.4.6-1.el7sat
pulp-nodes-parent-0:2.13.4.6-1.el7sat
pulp-ostree-admin-extensions-0:1.2.1.1-1.el7sat
pulp-ostree-plugins-0:1.2.1.1-1.el7sat
pulp-puppet-admin-extensions-0:2.13.4-3.el7sat
pulp-puppet-plugins-0:2.13.4-3.el7sat
pulp-puppet-tools-0:2.13.4-3.el7sat
pulp-rpm-admin-extensions-0:2.13.4.8-1.el7sat
pulp-rpm-plugins-0:2.13.4.8-1.el7sat
pulp-selinux-0:2.13.4.6-1.el7sat
pulp-server-0:2.13.4.6-1.el7sat
puppet-foreman_scap_client-0:0.3.16-1.el7sat
python-pulp-agent-lib-0:2.13.4.6-1.el7sat
python-pulp-bindings-0:2.13.4.6-1.el7sat
python-pulp-client-lib-0:2.13.4.6-1.el7sat
python-pulp-common-0:2.13.4.6-1.el7sat
python-pulp-docker-common-0:2.4.1-2.el7sat
python-pulp-oid_validation-0:2.13.4.6-1.el7sat
python-pulp-ostree-common-0:1.2.1.1-1.el7sat
python-pulp-puppet-common-0:2.13.4-3.el7sat
python-pulp-repoauth-0:2.13.4.6-1.el7sat
python-pulp-rpm-common-0:2.13.4.8-1.el7sat
python-pulp-streamer-0:2.13.4.6-1.el7sat
python-zope-interface-0:4.0.5-4.el7
python-zope-interface-debuginfo-0:4.0.5-4.el7
redhat-access-insights-puppet-0:0.0.9-2.el7sat
rubygem-foreman_scap_client-0:0.3.0-2.el7sat
rubygem-kafo-0:2.0.2-1.el7sat
rubygem-kafo_parsers-0:0.1.6-1.el7sat
rubygem-kafo_wizards-0:0.0.1-2.el7sat
rubygem-smart_proxy_dhcp_remote_isc-0:0.0.2.1-1.fm1_15.el7sat
rubygem-smart_proxy_discovery-0:1.0.4-3.el7sat
rubygem-smart_proxy_discovery_image-0:1.0.9-1.el7sat
rubygem-smart_proxy_dynflow-0:0.1.10-1.el7sat
rubygem-smart_proxy_openscap-0:0.6.9-1.el7sat
rubygem-smart_proxy_pulp-0:1.3.0-1.git.0.b5c2768.el7sat
rubygem-smart_proxy_remote_execution_ssh-0:0.1.6-1.el7sat
rubygem-tilt-0:1.3.7-2.git.0.3b416c9.el7sat
satellite-0:6.3.0-23.0.el7sat
satellite-capsule-0:6.3.0-23.0.el7sat
satellite-cli-0:6.3.0-23.0.el7sat
satellite-common-0:6.3.0-23.0.el7sat
satellite-debug-tools-0:6.3.0-23.0.el7sat
satellite-installer-0:6.3.0.12-1.el7sat
tfm-rubygem-bastion-0:5.1.1.4-1.fm1_15.el7sat
tfm-rubygem-foreman-redhat_access-0:2.0.13-1.el7sat
tfm-rubygem-foreman-tasks-0:0.9.6.4-1.fm1_15.el7sat
tfm-rubygem-foreman-tasks-core-0:0.1.8-1.fm1_15.el7sat
tfm-rubygem-foreman_bootdisk-0:10.0.2.2-1.fm1_15.el7sat
tfm-rubygem-foreman_discovery-0:9.1.5.3-1.fm1_15.el7sat
tfm-rubygem-foreman_docker-0:3.1.0.3-1.fm1_15.el7sat
tfm-rubygem-foreman_hooks-0:0.3.14-1.fm1_15.el7sat
tfm-rubygem-foreman_openscap-0:0.7.11-1.fm1_15.el7sat
tfm-rubygem-foreman_remote_execution-0:1.3.7.2-1.fm1_15.el7sat
tfm-rubygem-foreman_remote_execution_core-0:1.0.6-1.fm1_15.el7sat
tfm-rubygem-foreman_templates-0:5.0.1-1.fm1_15.el7sat
tfm-rubygem-foreman_theme_satellite-0:1.0.4.16-1.el7sat
tfm-rubygem-foreman_virt_who_configure-0:0.1.9-1.fm1_15.el7sat
tfm-rubygem-hammer_cli-0:0.11.0.1-1.el7sat
tfm-rubygem-hammer_cli_csv-0:2.3.0-1.el7sat
tfm-rubygem-hammer_cli_foreman-0:0.11.0.5-1.el7sat
tfm-rubygem-hammer_cli_foreman_admin-0:0.0.8-1.el7sat
tfm-rubygem-hammer_cli_foreman_bootdisk-0:0.1.3.3-2.el7sat
tfm-rubygem-hammer_cli_foreman_discovery-0:1.0.0-1.el7sat
tfm-rubygem-hammer_cli_foreman_docker-0:0.0.6-2.el7sat
tfm-rubygem-hammer_cli_foreman_openscap-0:0.1.5-1.fm1_15.el7sat
tfm-rubygem-hammer_cli_foreman_remote_execution-0:0.0.6-1.fm1_15.el7sat
tfm-rubygem-hammer_cli_foreman_tasks-0:0.0.12-1.fm1_15.el7sat
tfm-rubygem-hammer_cli_foreman_virt_who_configure-0:0.0.3-1.el7sat
tfm-rubygem-hammer_cli_katello-0:0.11.3.5-1.el7sat
tfm-rubygem-katello-0:3.4.5.58-1.el7sat
tfm-rubygem-katello_ostree-0:3.4.5.58-1.el7sat
tfm-rubygem-ovirt_provision_plugin-0:1.0.2-1.fm1_15.el7sat
tfm-rubygem-smart_proxy_dynflow_core-0:0.1.10-1.fm1_15.el7sat

refmap via4

confirm	https://bugzilla.redhat.com/show_bug.cgi?id=1330264 https://docs.pulpproject.org/user-guide/release-notes/2.8.x.html#pulp-2-8-5 https://pulp.plan.io/issues/1858
fedora	FEDORA-2016-4373f7d32a
misc	https://github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L25 https://github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L97-L105

Last major update

12-02-2023 - 23:18

Published

13-06-2017 - 17:29

Last modified

12-02-2023 - 23:18