Vulnerability 14895 - CERT Civis.Net

Vulnerability Name:

CCN-14895

Published:

2004-01-21

Updated:

2004-01-21

Summary:

3ddiag could allow a local attacker to launch a symlink attack. 3ddiag creates insecure temporary files. A local attacker could exploit this vulnerability by creating a symbolic link for a temporary file to an arbitrary file on the system, which would allow the attacker to create or overwrite files on the system, once the 3ddiag scripts are executed. An attacker could use this vulnerability to possibly obtain elevated privileges on the system.

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

2.6 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:N/C:N/I:P/A:P)
2.5 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:H/Au:N/C:N/I:P/A:P/E:H/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): Partial

Vulnerability Consequences:

File Manipulation

References:

Source: CCN
Type: BID-9434
SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link Vulnerability

Source: XF
Type: UNKNOWN
suse-3ddiag-symlink-attack(14895)

Vulnerable Configuration:

Configuration CCN 1:

cpe:/o:suse:suse_linux:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK