Bug 13503

Summary: [CVE 21] cfengine 3.15.3 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED INVALID QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: e.kosachev, s.matveev, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2021-36756, CVE-2021-38379, CVE-2021-44215, CVE-2021-44216, CVE-2023-26560,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-24 00:18:16 MSK 
Please patch CVEs for package cfengine version 3.15.3
  
INFO (CVEs are): cfengine 3.15.3
 cves found
CVE-2021-36756
Desc: CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate Validation.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-36756
Severity: MEDIUM
CVE-2021-38379
Desc: The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permissions that allow local Information Disclosure.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-38379
Severity: MEDIUM
CVE-2021-44215
Desc: Northern.tech CFEngine Enterprise 3.15.4 before 3.15.5 has Insecure Permissions that may allow unauthorized local users to have an unspecified impact.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-44215
Severity: MEDIUM
CVE-2021-44216
Desc: Northern.tech CFEngine Enterprise before 3.15.5 and 3.18.x before 3.18.1 has Insecure Permissions that may allow unauthorized local users to access the Apache and Mission Portal log files.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-44216
Severity: MEDIUM
CVE-2023-26560
Desc: Northern.tech CFEngine Enterprise before 3.21.1 allows a subset of authenticated users to leverage the Scheduled Reports feature to read arbitrary files and potentially discover credentials.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-26560
Severity: MEDIUM
Comment 1 Svyatoslav Matveev 2023-08-28 12:20:48 MSK 
CVE касаются CFEngine Enterprise.
Comment 2 Yury 2023-10-18 17:15:48 MSK 
secteam_verified
Comment 3 Yury 2023-10-18 17:15:48 MSK 
secteam_verified