7.8

CVE-2022-41974

Exploit

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

Data is provided by the National Vulnerability Database (NVD)
OpensvcMultipath-tools Version >= 0.7.0 < 0.9.2
FedoraprojectFedora Version36
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.02% 0.033
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

http://seclists.org/fulldisclosure/2022/Dec/4
Third Party Advisory
Exploit
Mailing List
http://www.openwall.com/lists/oss-security/2022/11/30/2
Third Party Advisory
Exploit
Mailing List
http://seclists.org/fulldisclosure/2022/Oct/25
Third Party Advisory
Exploit
Mailing List
http://www.openwall.com/lists/oss-security/2022/10/24/2
Third Party Advisory
Exploit
Mailing List
https://bugzilla.suse.com/show_bug.cgi?id=1202739
Third Party Advisory
Issue Tracking