CVE-2016-8641

Exploit

EPSS 1.12%
Published 01.08.2018 14:29:00
Last modified 21.11.2024 02:59:44
Source secalert@redhat.com
Teams watchlist Login
Open Login

A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change.

Affected products Warnungen 0 Metrics 4 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Nagios ≫ Nagios Version4.2.0

Nagios ≫ Nagios Version4.2.1

Nagios ≫ Nagios Version4.2.2

Nagios ≫ Nagios Version4.2.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.12%	0.775

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C
secalert@redhat.com	6.7	0.8	5.9	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://security.gentoo.org/glsa/201702-26

Third Party Advisory

http://www.securityfocus.com/bid/95121

Third Party Advisory

VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8641

Patch

Third Party Advisory

Issue Tracking

https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1.patch

Patch

Third Party Advisory