CVE-2020-14019: rtslib-fb weak permissions for /etc/target/saveconfig.json file
(updated )
Python rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json
because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved.
References
- github.com/advisories/GHSA-cpcw-p965-wpqx
- github.com/open-iscsi/rtslib-fb
- github.com/open-iscsi/rtslib-fb/commit/b23d061ee0fa7924d2cdce6194c313b9ee06c468
- github.com/open-iscsi/rtslib-fb/pull/162
- github.com/pypa/advisory-database/tree/main/vulns/rtslib-fb/PYSEC-2020-250.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH
- nvd.nist.gov/vuln/detail/CVE-2020-14019
Detect and mitigate CVE-2020-14019 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →