CVE-2014-8174: Infoleak
First published: Tue Mar 17 2015(Updated: )
eDeploy makes it easier for remote attackers to execute arbitrary code by leveraging use of HTTP to download files.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat eDeploy | <=1.11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1202972
- https://github.com/redhat-cip/edeploy/issues/230
- http://${HTTP_PROXY
- http://ftp.debian.org/debian/pool/main/t/tar/tar_1.27.1-1~bpo70+1_${ARCH:=amd64}.deb
- http://security.ubuntu.com/ubuntu
- http://security.debian.org/
- http://hwraid.le-vert.net/debian/hwraid.le-vert.net.gpg.key
- http://hwraid.le-vert.net/debian
- http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key
- http://hwraid.le-vert.net/ubuntu
- http://downloads.linux.hp.com/SDR/downloads/MCP/pool/non-free/$package_name
- http://downloads.linux.hp.com/SDR/downloads/ServicePackforProLiant/2013.02.0/hp/swpackages/hpacucli-9.40-12.0.x86_64.rpm
- http://downloads.linux.hp.com/SDR/hpPublicKey1024.pub
- http://downloads.linux.hp.com/SDR/hpPublicKey2048.pub
- http://downloads.linux.hp.com/repo/spp/rhel/$CODENAME_MAJOR.$CODENAME_MINOR/x86_64/current
- http://us.archive.ubuntu.com/ubuntu/ubuntu/pool/universe/libm/libmlx4/$LIBMLX
- http://pkgs.repoforge.org/netperf/netperf-2.6.0-1.el6.rf.x86_64.rpm
- http://pkgs.repoforge.org/fio/fio-2.1.7-1.el6.rf.x86_64.rpm
- http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm
- http://pkgs.repoforge.org/fio/fio-2.1.7-1.el7.rf.x86_64.rpm
- http://pkgs.repoforge.org/lshw/lshw-2.17-1.el7.rf.x86_64.rpm
- http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py
- http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy
- http://169.254.169.254/2009-04-04/user-data
- http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py
- http://http.debian.net/debian
- http://archive.ubuntu.com/ubuntu
- http://mirror.centos.org/centos/6.5/os/x86_64/Packages/centos-release-6-5.el6.centos.11.1.x86_64.rpm
- http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-0.1406.el7.centos.2.3.x86_64.rpm
- http://dev.centos.org/centos/6/SCL/scl.repo
- http://192.168.122.1:8000/
- http://localhost/cgi-bin/upload.py
- http://www.enovance.com/
- http://10.101.14.14/health.pxe
- https://github.com/enovance/edeploy/issues/230
Frequently Asked Questions
What is the severity of CVE-2014-8174?
CVE-2014-8174 is considered a critical vulnerability due to its potential for remote code execution.
How do I fix CVE-2014-8174?
To fix CVE-2014-8174, upgrade to the latest version of eDeploy that addresses this vulnerability.
What type of attacks can be executed with CVE-2014-8174?
CVE-2014-8174 allows remote attackers to execute arbitrary code by exploiting the way sensitive files are downloaded via HTTP.
Which versions of eDeploy are affected by CVE-2014-8174?
CVE-2014-8174 affects eDeploy versions up to and including 1.11.0.
Is there any workaround for CVE-2014-8174 before applying the fix?
A potential workaround for CVE-2014-8174 is to restrict HTTP access or monitor downloads while a fixed version is being deployed.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-8174
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/redhat edeploy
- version/redhat edeploy/1.11.0