7

CVE-2016-4444

Exploit
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.47% 0.372
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7 1 5.9
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.9 3.4 10
AV:L/AC:M/Au:N/C:C/I:C/A:C
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

http://seclists.org/oss-sec/2016/q2/575
Patch
Third Party Advisory
Exploit
Mailing List
http://www.securityfocus.com/bid/91476
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1036144
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2016:1293
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1332644
Patch
Issue Tracking
https://github.com/fedora-selinux/setroubleshoot/commit/5cd60033ea7f5bdf8c19c27b23ea2d773d9b09f5
Patch
https://rhn.redhat.com/errata/RHSA-2016-1267.html
Third Party Advisory