CWE-250
Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
CVE-2019-10143 (GCVE-0-2019-10143)
Vulnerability from cvelistv5 – Published: 2019-05-24 00:00 – Updated: 2024-08-04 22:10 Disputed
VLAI
Summary
It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user. NOTE: the upstream software maintainer has stated "there is simply no way for anyone to gain privileges through this alleged issue."
Severity
6.4 (Medium)
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freeradius | freeradius |
Affected:
affects <= 3.0.19
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:freeradius:freeradius:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freeradius",
"vendor": "freeradius",
"versions": [
{
"lessThanOrEqual": "3.0.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fedora",
"vendor": "fedoraproject",
"versions": [
{
"status": "affected",
"version": "30"
}
]
},
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fedora",
"vendor": "fedoraproject",
"versions": [
{
"status": "affected",
"version": "29"
}
]
},
{
"cpes": [
"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_linux",
"vendor": "redhat",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-10143",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T19:23:06.388705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T19:24:21.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:10.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2019-4a8eeaf80e",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TKODLHHUOVAYENTBP4D3N25ST3Q6LJBP/"
},
{
"name": "FEDORA-2019-9454ce61b2",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6VKBZAZKJP5QKXDXRKCM2ZPZND3TFAX/"
},
{
"name": "RHSA-2019:3353",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3353"
},
{
"name": "20191115 [AIT-SA-20191112-01] CVE-2019-10143: Privilege Escalation via Logrotate in FreeRadius",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/Nov/14"
},
{
"tags": [
"x_transferred"
],
"url": "https://freeradius.org/security/"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/155361/FreeRadius-3.0.19-Logrotate-Privilege-Escalation.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10143"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FreeRADIUS/freeradius-server/pull/2666"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "freeradius",
"vendor": "freeradius",
"versions": [
{
"status": "affected",
"version": "affects \u003c= 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user. NOTE: the upstream software maintainer has stated \"there is simply no way for anyone to gain privileges through this alleged issue.\""
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-12T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2019-4a8eeaf80e",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TKODLHHUOVAYENTBP4D3N25ST3Q6LJBP/"
},
{
"name": "FEDORA-2019-9454ce61b2",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6VKBZAZKJP5QKXDXRKCM2ZPZND3TFAX/"
},
{
"name": "RHSA-2019:3353",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3353"
},
{
"name": "20191115 [AIT-SA-20191112-01] CVE-2019-10143: Privilege Escalation via Logrotate in FreeRadius",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2019/Nov/14"
},
{
"url": "https://freeradius.org/security/"
},
{
"url": "http://packetstormsecurity.com/files/155361/FreeRadius-3.0.19-Logrotate-Privilege-Escalation.html"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10143"
},
{
"url": "https://github.com/FreeRADIUS/freeradius-server/pull/2666"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10143",
"datePublished": "2019-05-24T00:00:00.000Z",
"dateReserved": "2019-03-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:10:10.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10144 (GCVE-0-2019-10144)
Vulnerability from cvelistv5 – Published: 2019-06-03 18:19 – Updated: 2024-08-04 22:10
VLAI
Summary
rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are given all capabilities during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources.
Severity
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twistlock.com/labs-blog/breaking-out-… | x_refsource_MISC |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:10.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10144"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rkt",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "1.30.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are given all capabilities during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-03T18:19:20.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10144"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10144",
"datePublished": "2019-06-03T18:19:20.000Z",
"dateReserved": "2019-03-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:10:10.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10145 (GCVE-0-2019-10145)
Vulnerability from cvelistv5 – Published: 2019-06-03 18:20 – Updated: 2024-08-04 22:10
VLAI
Summary
rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` do not have seccomp filtering during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources.
Severity
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
| https://www.twistlock.com/labs-blog/breaking-out-… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10145"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rkt",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "1.30.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` do not have seccomp filtering during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-03T18:20:07.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10145"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10145",
"datePublished": "2019-06-03T18:20:07.000Z",
"dateReserved": "2019-03-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:10:09.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10147 (GCVE-0-2019-10147)
Vulnerability from cvelistv5 – Published: 2019-06-03 18:21 – Updated: 2024-08-04 22:10
VLAI
Summary
rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are not limited by cgroups during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources.
Severity
4.7 (Medium)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twistlock.com/labs-blog/breaking-out-… | x_refsource_MISC |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:10.003Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10147"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rkt",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "1.30.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are not limited by cgroups during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-03T18:21:04.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10147"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10147",
"datePublished": "2019-06-03T18:21:04.000Z",
"dateReserved": "2019-03-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:10:10.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10167 (GCVE-0-2019-10167)
Vulnerability from cvelistv5 – Published: 2019-08-02 12:05 – Updated: 2024-08-04 22:10
VLAI
Summary
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
Severity
8.8 (High)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://access.redhat.com/libvirt-privesc-vulnera… | x_refsource_CONFIRM |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
| https://security.gentoo.org/glsa/202003-18 | vendor-advisoryx_refsource_GENTOO |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10167"
},
{
"name": "GLSA-202003-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libvirt",
"vendor": "libvirt",
"versions": [
{
"status": "affected",
"version": "4.x.x before 4.10.1"
},
{
"status": "affected",
"version": "5.x.x before 5.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an \"emulatorbin\" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain\u0027s capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-15T04:06:02.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10167"
},
{
"name": "GLSA-202003-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-18"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10167",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "libvirt",
"version": {
"version_data": [
{
"version_value": "4.x.x before 4.10.1"
},
{
"version_value": "5.x.x before 5.4.1"
}
]
}
}
]
},
"vendor_name": "libvirt"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an \"emulatorbin\" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain\u0027s capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "8.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-250"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://access.redhat.com/libvirt-privesc-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10167",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10167"
},
{
"name": "GLSA-202003-18",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-18"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10167",
"datePublished": "2019-08-02T12:05:52.000Z",
"dateReserved": "2019-03-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:10:09.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10168 (GCVE-0-2019-10168)
Vulnerability from cvelistv5 – Published: 2019-08-02 12:08 – Updated: 2024-08-04 22:10
VLAI
Summary
The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
Severity
8.8 (High)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://access.redhat.com/libvirt-privesc-vulnera… | x_refsource_CONFIRM |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
| https://security.gentoo.org/glsa/202003-18 | vendor-advisoryx_refsource_GENTOO |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:10.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10168"
},
{
"name": "GLSA-202003-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libvirt",
"vendor": "libvirt",
"versions": [
{
"status": "affected",
"version": "4.x.x before 4.10.1"
},
{
"status": "affected",
"version": "5.x.x before 5.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an \"emulator\" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain\u0027s capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-15T04:06:03.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10168"
},
{
"name": "GLSA-202003-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-18"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10168",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "libvirt",
"version": {
"version_data": [
{
"version_value": "4.x.x before 4.10.1"
},
{
"version_value": "5.x.x before 5.4.1"
}
]
}
}
]
},
"vendor_name": "libvirt"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an \"emulator\" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain\u0027s capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "8.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-250"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://access.redhat.com/libvirt-privesc-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10168",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10168"
},
{
"name": "GLSA-202003-18",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-18"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10168",
"datePublished": "2019-08-02T12:08:14.000Z",
"dateReserved": "2019-03-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:10:10.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15790 (GCVE-0-2019-15790)
Vulnerability from cvelistv5 – Published: 2020-04-27 23:25 – Updated: 2025-11-03 19:25
VLAI
Title
Apport reads PID files with elevated privileges
Summary
Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. Apport then determines which user the crashed process belongs to by reading /proc/pid through get_pid_info() in data/apport. An unprivileged user could exploit this to read information about a privileged running process by exploiting PID recycling. This information could then be used to obtain ASLR offsets for a process with an existing memory corruption vulnerability. The initial fix introduced regressions in the Python Apport library due to a missing argument in Report.add_proc_environ in apport/report.py. It also caused an autopkgtest failure when reading /proc/pid and with Python 2 compatibility by reading /proc maps. The initial and subsequent regression fixes are in 2.20.11-0ubuntu16, 2.20.11-0ubuntu8.6, 2.20.9-0ubuntu7.12, 2.20.1-0ubuntu2.22 and 2.14.1-0ubuntu3.29+esm3.
Severity
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
10 references
Impacted products
Date Public
2019-10-30 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:25:26.757Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1839795"
},
{
"tags": [
"x_transferred"
],
"url": "https://usn.ubuntu.com/4171-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://usn.ubuntu.com/4171-2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://usn.ubuntu.com/4171-3/"
},
{
"tags": [
"x_transferred"
],
"url": "https://usn.ubuntu.com/4171-4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://usn.ubuntu.com/4171-5/"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1850929"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1851806"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.launchpad.net/apport/+bug/1854237"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/172858/Ubuntu-Apport-Whoopsie-DoS-Integer-Overflow.html"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Jun/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apport",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.14.1-0ubuntu3.29+esm3",
"status": "affected",
"version": "2.14.1",
"versionType": "custom"
},
{
"lessThan": "2.20.1-0ubuntu2.22",
"status": "affected",
"version": "2.20.1",
"versionType": "custom"
},
{
"lessThan": "2.20.9-0ubuntu7.12",
"status": "affected",
"version": "2.20.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "2.20.11-0ubuntu16",
"status": "unaffected"
}
],
"lessThan": "2.20.11-0ubuntu8.6",
"status": "affected",
"version": "2.20.11",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kevin Backhouse"
}
],
"datePublic": "2019-10-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. Apport then determines which user the crashed process belongs to by reading /proc/pid through get_pid_info() in data/apport. An unprivileged user could exploit this to read information about a privileged running process by exploiting PID recycling. This information could then be used to obtain ASLR offsets for a process with an existing memory corruption vulnerability. The initial fix introduced regressions in the Python Apport library due to a missing argument in Report.add_proc_environ in apport/report.py. It also caused an autopkgtest failure when reading /proc/pid and with Python 2 compatibility by reading /proc maps. The initial and subsequent regression fixes are in 2.20.11-0ubuntu16, 2.20.11-0ubuntu8.6, 2.20.9-0ubuntu7.12, 2.20.1-0ubuntu2.22 and 2.14.1-0ubuntu3.29+esm3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-12T00:00:00.000Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1839795"
},
{
"url": "https://usn.ubuntu.com/4171-1/"
},
{
"url": "https://usn.ubuntu.com/4171-2/"
},
{
"url": "https://usn.ubuntu.com/4171-3/"
},
{
"url": "https://usn.ubuntu.com/4171-4/"
},
{
"url": "https://usn.ubuntu.com/4171-5/"
},
{
"url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1850929"
},
{
"url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1851806"
},
{
"url": "https://bugs.launchpad.net/apport/+bug/1854237"
},
{
"url": "http://packetstormsecurity.com/files/172858/Ubuntu-Apport-Whoopsie-DoS-Integer-Overflow.html"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/4171-1/",
"defect": [
"https://launchpad.net/bugs/1839795"
],
"discovery": "EXTERNAL"
},
"title": "Apport reads PID files with elevated privileges",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2019-15790",
"datePublished": "2020-04-27T23:25:19.961Z",
"dateReserved": "2019-08-29T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:25:26.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-16765 (GCVE-0-2019-16765)
Vulnerability from cvelistv5 – Published: 2019-11-25 17:41 – Updated: 2024-08-05 01:24
VLAI
Summary
If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the CodeQL extension active, arbitrary code of the attacker's choosing may be executed on the user's behalf. This is fixed in version 1.0.1 of the extension. Users should upgrade to this version using Visual Studio Code Marketplace's upgrade mechanism. After upgrading, the codeQL.cli.executablePath setting can only be set in the per-user settings, and not in the per-workspace settings. More information about VS Code settings can be found here.
Severity
7.4 (High)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/github/vscode-codeql/security/… | x_refsource_CONFIRM |
| https://github.com/github/vscode-codeql/pull/174 | x_refsource_MISC |
| https://github.com/github/vscode-codeql/blob/v1.0… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| github | vscode-codeql |
Affected:
< 1.0.1 , < 1.0.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:47.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/github/vscode-codeql/security/advisories/GHSA-wf4x-8mpj-r42q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/github/vscode-codeql/pull/174"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/github/vscode-codeql/blob/v1.0.1/CHANGELOG.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "vscode-codeql",
"vendor": "github",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "\u003c 1.0.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the CodeQL extension active, arbitrary code of the attacker\u0027s choosing may be executed on the user\u0027s behalf. This is fixed in version 1.0.1 of the extension. Users should upgrade to this version using Visual Studio Code Marketplace\u0027s upgrade mechanism. After upgrading, the codeQL.cli.executablePath setting can only be set in the per-user settings, and not in the per-workspace settings. More information about VS Code settings can be found here."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-25T17:41:16.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/github/vscode-codeql/security/advisories/GHSA-wf4x-8mpj-r42q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/github/vscode-codeql/pull/174"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/github/vscode-codeql/blob/v1.0.1/CHANGELOG.md"
}
],
"source": {
"advisory": "GHSA-wf4x-8mpj-r42q",
"discovery": "UNKNOWN"
},
"workarounds": [
{
"lang": "en",
"value": "Manually review the workspace settings for any workspace obtained from an external source. These settings can be found in the .vscode/settings.json file within the workspace directory. Remove the configuration values for the codeQL.cli.executablePath, codeQL.cli.owner, and codeQL.cli.repository settings for the workspace.\n\nIf you wish to use the codeQL.cli.executablePath setting to indicate the location of a CodeQL CLI executable, then move this to your user settings, and check that you trust the configured path. You can access the user settings by choosing Preferences: Open User Settings from the Command Palette."
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16765",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "vscode-codeql",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 1.0.1",
"version_value": "1.0.1"
}
]
}
}
]
},
"vendor_name": "github"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the CodeQL extension active, arbitrary code of the attacker\u0027s choosing may be executed on the user\u0027s behalf. This is fixed in version 1.0.1 of the extension. Users should upgrade to this version using Visual Studio Code Marketplace\u0027s upgrade mechanism. After upgrading, the codeQL.cli.executablePath setting can only be set in the per-user settings, and not in the per-workspace settings. More information about VS Code settings can be found here."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-250 Execution with Unnecessary Privileges"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/github/vscode-codeql/security/advisories/GHSA-wf4x-8mpj-r42q",
"refsource": "CONFIRM",
"url": "https://github.com/github/vscode-codeql/security/advisories/GHSA-wf4x-8mpj-r42q"
},
{
"name": "https://github.com/github/vscode-codeql/pull/174",
"refsource": "MISC",
"url": "https://github.com/github/vscode-codeql/pull/174"
},
{
"name": "https://github.com/github/vscode-codeql/blob/v1.0.1/CHANGELOG.md",
"refsource": "MISC",
"url": "https://github.com/github/vscode-codeql/blob/v1.0.1/CHANGELOG.md"
}
]
},
"source": {
"advisory": "GHSA-wf4x-8mpj-r42q",
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Manually review the workspace settings for any workspace obtained from an external source. These settings can be found in the .vscode/settings.json file within the workspace directory. Remove the configuration values for the codeQL.cli.executablePath, codeQL.cli.owner, and codeQL.cli.repository settings for the workspace.\n\nIf you wish to use the codeQL.cli.executablePath setting to indicate the location of a CodeQL CLI executable, then move this to your user settings, and check that you trust the configured path. You can access the user settings by choosing Preferences: Open User Settings from the Command Palette."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16765",
"datePublished": "2019-11-25T17:41:17.000Z",
"dateReserved": "2019-09-24T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:24:47.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16767 (GCVE-0-2019-16767)
Vulnerability from cvelistv5 – Published: 2019-11-29 17:40 – Updated: 2024-08-05 01:24
VLAI
Title
In EzMaster before 5.2.11 docker containers were executed with advanced privileges by default
Summary
The admin sys mode is now conditional and dedicated for the special case. By default, since ezmaster@5.2.11 no instance (container) is launched with advanced capabilities (not launched as root)
Severity
6.6 (Medium)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Inist-CNRS/ezmaster/security/a… | x_refsource_CONFIRM |
| https://github.com/Inist-CNRS/ezmaster/pull/51 | x_refsource_MISC |
| https://github.com/Inist-CNRS/ezmaster/blob/maste… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Inist-CNRS | ezmaster |
Affected:
< 5.2.11 , < 5.2.11
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:47.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Inist-CNRS/ezmaster/security/advisories/GHSA-g654-5qjf-g6cx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Inist-CNRS/ezmaster/pull/51"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Inist-CNRS/ezmaster/blob/master/CHANGELOG.md#ezmaster-5211"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ezmaster",
"vendor": "Inist-CNRS",
"versions": [
{
"lessThan": "5.2.11",
"status": "affected",
"version": "\u003c 5.2.11",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The admin sys mode is now conditional and dedicated for the special case. By default, since ezmaster@5.2.11 no instance (container) is launched with advanced capabilities (not launched as root)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-29T17:40:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Inist-CNRS/ezmaster/security/advisories/GHSA-g654-5qjf-g6cx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Inist-CNRS/ezmaster/pull/51"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Inist-CNRS/ezmaster/blob/master/CHANGELOG.md#ezmaster-5211"
}
],
"source": {
"advisory": "GHSA-g654-5qjf-g6cx",
"discovery": "UNKNOWN"
},
"title": "In EzMaster before 5.2.11 docker containers were executed with advanced privileges by default",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16767",
"STATE": "PUBLIC",
"TITLE": "In EzMaster before 5.2.11 docker containers were executed with advanced privileges by default"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ezmaster",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 5.2.11",
"version_value": "5.2.11"
}
]
}
}
]
},
"vendor_name": "Inist-CNRS"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The admin sys mode is now conditional and dedicated for the special case. By default, since ezmaster@5.2.11 no instance (container) is launched with advanced capabilities (not launched as root)"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-250 Execution with Unnecessary Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Inist-CNRS/ezmaster/security/advisories/GHSA-g654-5qjf-g6cx",
"refsource": "CONFIRM",
"url": "https://github.com/Inist-CNRS/ezmaster/security/advisories/GHSA-g654-5qjf-g6cx"
},
{
"name": "https://github.com/Inist-CNRS/ezmaster/pull/51",
"refsource": "MISC",
"url": "https://github.com/Inist-CNRS/ezmaster/pull/51"
},
{
"name": "https://github.com/Inist-CNRS/ezmaster/blob/master/CHANGELOG.md#ezmaster-5211",
"refsource": "MISC",
"url": "https://github.com/Inist-CNRS/ezmaster/blob/master/CHANGELOG.md#ezmaster-5211"
}
]
},
"source": {
"advisory": "GHSA-g654-5qjf-g6cx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16767",
"datePublished": "2019-11-29T17:40:14.000Z",
"dateReserved": "2019-09-24T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:24:47.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16784 (GCVE-0-2019-16784)
Vulnerability from cvelistv5 – Published: 2020-01-14 20:10 – Updated: 2024-08-05 01:24
VLAI
Title
Local Privilege Escalation present only on the Windows version of PyInstaller
Summary
In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at least more than the current one) which have his "TempPath" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).
Severity
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pyinstaller/pyinstaller/securi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PyInstaller | PyInstaller |
Affected:
< 3.6
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.332Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-7fcj-pq9j-wh2r"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"windows"
],
"product": "PyInstaller",
"vendor": "PyInstaller",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability was discovered and reported by Farid AYOUJIL (@faridtsl), David HA, Florent LE NIGER and Yann GASCUEL (@lnv42) from Alter Solutions (@AlterSolutions) and fixed in collaboration with Hartmut Goebel (@htgoebel)."
}
],
"descriptions": [
{
"lang": "en",
"value": "In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in \"onefile\" mode is launched by a privileged user (at least more than the current one) which have his \"TempPath\" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\\Windows\\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-14T20:10:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-7fcj-pq9j-wh2r"
}
],
"source": {
"advisory": "GHSA-7fcj-pq9j-wh2r",
"discovery": "UNKNOWN"
},
"title": "Local Privilege Escalation present only on the Windows version of PyInstaller",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16784",
"STATE": "PUBLIC",
"TITLE": "Local Privilege Escalation present only on the Windows version of PyInstaller"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PyInstaller",
"version": {
"version_data": [
{
"platform": "windows",
"version_value": "\u003c 3.6"
}
]
}
}
]
},
"vendor_name": "PyInstaller"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability was discovered and reported by Farid AYOUJIL (@faridtsl), David HA, Florent LE NIGER and Yann GASCUEL (@lnv42) from Alter Solutions (@AlterSolutions) and fixed in collaboration with Hartmut Goebel (@htgoebel)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in \"onefile\" mode is launched by a privileged user (at least more than the current one) which have his \"TempPath\" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\\Windows\\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-250 Execution with Unnecessary Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-7fcj-pq9j-wh2r",
"refsource": "CONFIRM",
"url": "https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-7fcj-pq9j-wh2r"
}
]
},
"source": {
"advisory": "GHSA-7fcj-pq9j-wh2r",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16784",
"datePublished": "2020-01-14T20:10:12.000Z",
"dateReserved": "2019-09-24T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:24:48.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation ID: MIT-17
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation ID: MIT-18
Phase: Architecture and Design
Strategy: Separation of Privilege
Description:
- Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation ID: MIT-18
Phase: Architecture and Design
Strategy: Attack Surface Reduction
Description:
- Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation
Phase: Implementation
Description:
- Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.
Mitigation ID: MIT-19
Phase: Implementation
Description:
- When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.
Mitigation
Phase: Implementation
Description:
- If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.
Mitigation ID: MIT-37
Phases: Operation, System Configuration
Strategy: Environment Hardening
Description:
- Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-470: Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.