CVE-2006-6008

ftpd in Linux Netkit (linux-ftpd) 0.17, and possibly other versions, does not check the return status of certain seteuid, setgid, and setuid calls, which might allow remote authenticated users to gain privileges if these calls fail in cases such as PAM failures or resource limits, a different vulnerability than CVE-2006-5778.

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454	Patch
http://bugs.gentoo.org/show_bug.cgi?id=150292	Patch
http://ftp.debian.org/debian/pool/main/l/linux-ftpd/linux-ftpd_0.17-22.diff.gz	Patch
http://secunia.com/advisories/22816	Patch Vendor Advisory
http://secunia.com/advisories/22853	Patch Vendor Advisory
http://www.gentoo.org/security/en/glsa/glsa-200611-05.xml	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:netkit:netkit:0.17:*:*:*:*:*:*:*

History

No history.

Information

Published : 2006-11-21 23:07

Updated : 2008-09-05 21:13

NVD link : CVE-2006-6008

Mitre link : CVE-2006-6008

CVE.ORG link : CVE-2006-6008

JSON object : View

Products Affected

netkit

netkit

CWE

NVD-CWE-Other

{"id": "CVE-2006-6008", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2006-11-21T23:07:00.000", "references": [{"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://bugs.gentoo.org/show_bug.cgi?id=150292", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://ftp.debian.org/debian/pool/main/l/linux-ftpd/linux-ftpd_0.17-22.diff.gz", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/22816", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/22853", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.gentoo.org/security/en/glsa/glsa-200611-05.xml", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "ftpd in Linux Netkit (linux-ftpd) 0.17, and possibly other versions, does not check the return status of certain seteuid, setgid, and setuid calls, which might allow remote authenticated users to gain privileges if these calls fail in cases such as PAM failures or resource limits, a different vulnerability than CVE-2006-5778."}, {"lang": "es", "value": "ftpd en Linux Netkit (linux-ftpd) 0.17, y posiblemente otras versiones, no comprueba el estado que retornan ciertas llamadas a seteuid, setgid, y setuid, lo cual permite a usuarios remotos autenticados obtener privilegios si esas llamadas fallan en casos como fallos PAM o limitaci\u00f3n de recursos, una vulnerabilidad diferente que CVE-2006-5778."}], "lastModified": "2008-09-05T21:13:39.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netkit:netkit:0.17:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE38941C-C4E2-4277-9275-C13126797BF0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}