CVE-2015-7945

EPSS 9.4%

The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.

Affected products

n/a · n/a

public PoCs found — 3

cve_referencepacketstormsecurity.com/files/135101/Ganeti-Leaked-Secret-Denial-Of-Service.htmlunverified cve_referencewww.exploit-db.com/exploits/39169/unverified exploitdbwww.exploit-db.com/exploits/39169unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://docs.ganeti.org/ganeti/2.10/html/news.html#version-2-10-8 http://docs.ganeti.org/ganeti/2.11/html/news.html#version-2-11-8 http://docs.ganeti.org/ganeti/2.12/html/news.html#version-2-12.6 http://docs.ganeti.org/ganeti/2.13/html/news.html#version-2-13-3 http://docs.ganeti.org/ganeti/2.14/html/news.html#version-2-14-2 http://docs.ganeti.org/ganeti/2.15/html/news.html#version-2-15-2 http://docs.ganeti.org/ganeti/2.9/html/news.html#version-2-9-7 http://packetstormsecurity.com/files/135101/Ganeti-Leaked-Secret-Denial-Of-Service.html https://www.exploit-db.com/exploits/39169/http://www.debian.org/security/2016/dsa-3431 http://www.ocert.org/advisories/ocert-2015-012.html