CVE-2020-14019
Description
RHEA-2020:4505: python-rtslib bug fix and enhancement update (Moderate)
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description python-rtslib: weak permissions for /etc/target/saveconfig.json Red Hat statement Red Hat Ceph Storage 2 and 3 are not affected because within the affected method, shutil.copyfile is not used. However, the affected method, save_to_file is outdated and contains a race condition. Hence, this issue has been rated as having a security impact of low. CVSS v3: 6.6โฆ
Description
python-rtslib: weak permissions for /etc/target/saveconfig.json
Red Hat statement
Red Hat Ceph Storage 2 and 3 are not affected because within the affected method, shutil.copyfile is not used. However, the affected method, save_to_file is outdated and contains a race condition. Hence, this issue has been rated as having a security impact of low.
CVSS v3: 6.6 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 7 | python-rtslib-0:2.1.74-1.el7_9 | RHSA-2020:5435 | 2020-12-15T00:00:00Z |
| Red Hat Enterprise Linux 8 | python-rtslib-0:2.1.73-2.el8 | RHEA-2020:4505 | 2020-11-04T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Ceph Storage 2 | python-rtslib | Out of support scope |
| Red Hat Ceph Storage 3 | python-rtslib | Affected |
| Red Hat Enterprise Linux 6 | python-rtslib | Out of support scope |
Apply commands
yum update -y python-rtslib
# or:
dnf upgrade -y python-rtslibAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Ceph Storage 3 | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.1.71-3 |
| sid | Fixed | 2.1.71-3 |
| forky | Fixed | 2.1.71-3 |
| bullseye | Fixed | 2.1.71-3 |
| bookworm | Fixed | 2.1.71-3 |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | rtslib-fb | <2.1.73 | 2.1.73 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-14019
- https://github.com/open-iscsi/rtslib-fb/pull/162
- https://github.com/open-iscsi/rtslib-fb/commit/b23d061ee0fa7924d2cdce6194c313b9ee06c468
- https://github.com/open-iscsi/rtslib-fb
- https://github.com/pypa/advisory-database/tree/main/vulns/rtslib-fb/PYSEC-2020-250.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00012.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH/
- https://www.suse.com/security/cve/CVE-2020-14019.html
- https://security-tracker.debian.org/tracker/CVE-2020-14019
- https://access.redhat.com/errata/RHEA-2020:4505
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.