CVE-2017-15104: Information Exposure in Heketi
7.8
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/heketi/heketi | go | < 5.0.1 | 5.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the heketi.json
configuration file being world-readable, allowing local attackers to access sensitive data. This is a file permission misconfiguration issue rather than a specific function vulnerability. The analysis of provided commit diffs (787bae4) shows input validation
improvements and shell command sanitization, but no changes related to file permission handling. The root cause likely resides in how the configuration file was created/written (e.g., using default permissions like 0644 instead of 0600), but without seeing the specific code that generates/manages heketi.json
file permissions, we cannot identify a specific vulnerable function
with high confidence. The vulnerability is environmental/configuration-related rather than stemming from a particular code function
's logic.