7
CVE-2016-4446
- EPSS 0.48%
- Veröffentlicht 11.04.2017 18:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Setroubleshoot Project ≫ Setroubleshoot Version <= -
Redhat ≫ Enterprise Linux Desktop Version7.0
Redhat ≫ Enterprise Linux Hpc Node Version7.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Workstation Version7.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.48% | 0.376 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7 | 1 | 5.9 |
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.9 | 3.4 | 10 |
AV:L/AC:M/Au:N/C:C/I:C/A:C
|
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
http://seclists.org/oss-sec/2016/q2/575
http://www.securitytracker.com/id/1036144
https://access.redhat.com/errata/RHSA-2016:1293
https://rhn.redhat.com/errata/RHSA-2016-1267.html
http://www.securityfocus.com/bid/91427
https://bugzilla.redhat.com/show_bug.cgi?id=1339250
https://github.com/fedora-selinux/setroubleshoot/commit/eaccf4c0d20a27d3df5ff6de8c9dcc80f6f40718