Miggo Logo

CVE-2017-15104: Information Exposure in Heketi

7.8

CVSS Score
3.1

Basic Information

EPSS Score
0.25676%
Published
2/15/2022
Updated
2/10/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/heketi/heketigo< 5.0.15.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the heketi.json configuration file being world-readable, allowing local attackers to access sensitive data. This is a file permission misconfiguration issue rather than a specific function vulnerability. The analysis of provided commit diffs (787bae4) shows input validation improvements and shell command sanitization, but no changes related to file permission handling. The root cause likely resides in how the configuration file was created/written (e.g., using default permissions like 0644 instead of 0600), but without seeing the specific code that generates/manages heketi.json file permissions, we cannot identify a specific vulnerable function with high confidence. The vulnerability is environmental/configuration-related rather than stemming from a particular code function's logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n ****ss *l*w w*s *oun* in **k*ti *, w**r* t** **k*ti.json *on*i*ur*tion *il* w*s worl* r*****l*. *n *tt**k*r **vin* lo**l ****ss to t** **k*ti s*rv*r *oul* r*** pl*in-t*xt p*sswor*s *rom t** **k*ti.json *il*.

Reasoning

T** vuln*r**ility st*ms *rom t** `**k*ti.json` *on*i*ur*tion *il* **in* worl*-r*****l*, *llowin* lo**l *tt**k*rs to ****ss s*nsitiv* **t*. T*is is * *il* p*rmission mis*on*i*ur*tion issu* r*t**r t**n * sp**i*i* *un*tion vuln*r**ility. T** *n*lysis o*