CVE-2008-4580

fence_manual, as used in fence 2.02.00-r1 and possibly cman, allows local users to modify arbitrary files via a symlink attack on the fence_manual.fifo temporary file.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://bugs.gentoo.org/show_bug.cgi?id=240576
http://www.openwall.com/lists/oss-security/2008/10/13/3
http://www.openwall.com/lists/oss-security/2008/10/16/1
http://www.ubuntu.com/usn/USN-875-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/45953

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gentoo:cman:2.02.00:r1::::::
	cpe:2.3:a:gentoo:fence:2.02.00:r1::::::

History

No history.

Information

Published : 2008-10-15 20:08

Updated : 2023-02-13 02:19

NVD link : CVE-2008-4580

Mitre link : CVE-2008-4580

CVE.ORG link : CVE-2008-4580

JSON object : View

Products Affected

gentoo

fence
cman

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

NVD-CWE-noinfo

{"id": "CVE-2008-4580", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": true, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": true, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2008-10-15T20:08:02.763", "references": [{"url": "http://bugs.gentoo.org/show_bug.cgi?id=240576", "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2008/10/13/3", "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2008/10/16/1", "source": "secalert@redhat.com"}, {"url": "http://www.ubuntu.com/usn/USN-875-1", "source": "secalert@redhat.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45953", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "fence_manual, as used in fence 2.02.00-r1 and possibly cman, allows local users to modify arbitrary files via a symlink attack on the fence_manual.fifo temporary file."}, {"lang": "es", "value": "fence_manual, tal y como es usado en fence versi\u00f3n 2.02.00-r1 y posiblemente cman, permite a los usuarios locales modificar archivos arbitrarios por medio de un ataque de tipo symlink en el archivo temporal fence_manual.fifo."}], "lastModified": "2023-02-13T02:19:32.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gentoo:cman:2.02.00:r1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C3CBF73-99E7-4562-AA18-19EA3D9AF2D5"}, {"criteria": "cpe:2.3:a:gentoo:fence:2.02.00:r1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E9BCDBC-4566-417D-AEB6-B1377519648A"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Manual fencing agent is documented to only be provided for testing purposes and should not be used in production environments. Therefore, there is no plan to fix this flaw in Red Hat Cluster Suite for Red Hat Enterprise Linux 4, and in Red Hat Enterprise Linux 5.", "lastModified": "2009-11-12T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "secalert@redhat.com"}