- Description
- The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using the --remote or --listen option, does not properly check the ownership of /tmp/.guestfish-$UID/ when creating a temporary socket file in this directory, which allows local users to write to the socket and execute arbitrary commands by creating /tmp/.guestfish-$UID/ in advance.
- Source
- secalert@redhat.com
- NVD status
- Analyzed
CVSS 2.0
- Type
- Primary
- Base score
- 6.8
- Impact score
- 10
- Exploitability score
- 3.2
- Vector string
- AV:A/AC:H/Au:N/C:C/I:C/A:C
- nvd@nist.gov
- CWE-264
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:libguestfs:libguestfs:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FEDCD7E8-EB02-4686-8217-017306C55D52",
"versionEndIncluding": "1.20.12",
"versionStartIncluding": "1.20.0"
},
{
"criteria": "cpe:2.3:a:libguestfs:libguestfs:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "78562C81-E443-418F-BD73-29CA55F6F098",
"versionEndIncluding": "1.22.7",
"versionStartIncluding": "1.22.0"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:suse:suse_linux_enterprise_software_development_kit:11.0:sp3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C3407560-6D54-4B1B-9977-AD4F6EB5D6BB"
},
{
"criteria": "cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:sp3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "623DB4CD-8CB3-445A-B9B5-1238CF195235"
}
],
"operator": "OR"
}
]
}
]