mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
126 lines
4.6 KiB
JSON
126 lines
4.6 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"ASSIGNER": "security@suse.com",
|
|
"DATE_PUBLIC": "2019-09-17T00:00:00.000Z",
|
|
"ID": "CVE-2019-3689",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "nfs-utils: root-owned files stored in insecure /var/lib/nfs directory"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "SUSE",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "SUSE Linux Enterprise Server 12",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "before and including version 1.3.0-34.18.1"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "SUSE Linux Enterprise Server 15",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "before and including version 2.1.1-6.10.2"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"credit": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Malte Kraus of SUSE"
|
|
}
|
|
],
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system."
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.0.8"
|
|
},
|
|
"impact": {
|
|
"cvss": {
|
|
"attackComplexity": "LOW",
|
|
"attackVector": "LOCAL",
|
|
"availabilityImpact": "LOW",
|
|
"baseScore": 5.1,
|
|
"baseSeverity": "MEDIUM",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "NONE",
|
|
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
|
|
"version": "3.1"
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-276 Incorrect Default Permissions"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1150733",
|
|
"refsource": "CONFIRM",
|
|
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1150733"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[debian-lts-announce] 20191019 [SECURITY] [DLA 1965-1] nfs-utils security update",
|
|
"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00026.html"
|
|
},
|
|
{
|
|
"refsource": "SUSE",
|
|
"name": "openSUSE-SU-2019:2408",
|
|
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00071.html"
|
|
},
|
|
{
|
|
"refsource": "SUSE",
|
|
"name": "openSUSE-SU-2019:2435",
|
|
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00006.html"
|
|
},
|
|
{
|
|
"refsource": "MISC",
|
|
"name": "https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e",
|
|
"url": "https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e"
|
|
}
|
|
]
|
|
},
|
|
"source": {
|
|
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1150733",
|
|
"defect": [
|
|
"1150733"
|
|
],
|
|
"discovery": "INTERNAL"
|
|
}
|
|
} |