Date: Thu, 28 Jul 2016 09:32:34 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: CVE Request: redis: World readable .rediscli_history Hi >From the Debian bug report at https://bugs.debian.org/832460: > redis-cli stores its history in ~/.rediscli_history, this file is > created with permissions 0644. Home folders are world readable as well > in debian, so any user can access other users redis history, including > AUTH commands, which include credentials. > > I've contacted upstream on 2016-05-30 without any reaction at all and > discovered this bug was first reported 3 years ago, still unfixed. > @RedisLabs keeps referring to their paid support on twitter. > > Demo: `cat /home/*/.rediscli_history` Upstream report: https://github.com/antirez/redis/issues/3284 Could you please assign a CVE for this issue in redis? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ