- Description
- fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly check the credentials, which allows local users to gain privileges via the universal variable socket, related to /tmp/fishd.socket.user permissions.
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 2.0
- Type
- Primary
- Base score
- 6.9
- Impact score
- 10
- Exploitability score
- 3.4
- Vector string
- AV:L/AC:M/Au:N/C:C/I:C/A:C
- nvd@nist.gov
- CWE-264
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fishshell:fish:1.16.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DB596427-E590-42F9-A3DB-9D7636E6AB03"
},
{
"criteria": "cpe:2.3:a:fishshell:fish:2.0.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A6D8C9B4-F728-46AC-87FA-FC2745E955F1"
}
],
"operator": "OR"
}
]
}
]