Subject: PSA-2025-00009-1: Ceph management: limited privileged file creation vulnerability
Advisory date: 2025-04-17
Packages: pve-manager
Details: On setups using the Ceph management stack, a highly-privileged user could trigger the creation of a task log file and its parent directories outside of the intended location inside
/var/log/pve/tasks.This vulnerability does not allow overwriting an existing file. The created task log file's name always ends in
:user@realm: (user and realm are placeholders for the actual user triggering the issue, and its realm). Its content is the task log which is not under control of the user.Only users/tokens with the
Sys.Modify privilege can trigger this issue. This privilege already "allow(s) modifying aspects of the system or its configuration that are dangerous or sensitive" (see references).Fixed: pve-manager >= 8.3.6, libpve-common-perl >= 8.3.1
References:
-
Sys.Modify privilege: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_privileges