Vulnerability Name:

CVE-2003-0501 (CCN-12443)

Assigned:2003-06-20
Published:2003-06-20
Updated:2018-05-03
Summary:The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: BugTraq Mailing List, Fri Jun 20 2003 - 07:55:48 CDT
Linux /proc sensitive information disclosure

Source: MITRE
Type: CNA
CVE-2003-0501

Source: CCN
Type: Conectiva Linux Security Announcement CLSA-2003:796
kernel

Source: BUGTRAQ
Type: UNKNOWN
20030620 Linux /proc sensitive information disclosure

Source: CCN
Type: RHSA-2003-198
kernel security update

Source: CCN
Type: RHSA-2003-238
Updated 2.4 kernel fixes vulnerabilities

Source: CCN
Type: RHSA-2003-239
kernel security update

Source: CCN
Type: CIAC Information Bulletin N-122
Red Hat Updated 2.4 Kernel Fixes Vulnerabilities

Source: CCN
Type: CIAC Information Bulletin O-059
Debian Linux-Kernel-2.4.14-ia64 Vulnerabilities

Source: DEBIAN
Type: UNKNOWN
DSA-358

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-423

Source: DEBIAN
Type: DSA-358
linux-kernel-2.4.18 -- several vulnerabilities

Source: DEBIAN
Type: DSA-423
linux-kernel-2.4.17-ia64 -- several vulnerabilities

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2003:198

Source: REDHAT
Type: UNKNOWN
RHSA-2003:238

Source: REDHAT
Type: UNKNOWN
RHSA-2003:239

Source: CCN
Type: BID-8002
Linux /proc Filesystem Potential Information Disclosure Vulnerability

Source: CCN
Type: BID-8233
Multiple Linux 2.4 Kernel Vulnerabilities

Source: CCN
Type: TLSA-2003-65
Integer overflow

Source: XF
Type: UNKNOWN
linux-proc-obtain-information(12443)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:328

Source: SUSE
Type: SUSE-SA:2003:034
kernel: local privilege escalation remote Denial of Service (DoS)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:linux:linux_kernel:2.6.20.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:linux:linux_kernel:2.6.20.1:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:engardelinux:secure_linux:-:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_firewall:*:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_database_server:*:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_email_server:iii:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_connectivity_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:engardelinux:secure_professional:-:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_linux_office_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:suse:suse_email_server:3.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:8:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:redhat:linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:aw:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.cisecurity:def:532
    P
    		DSA-358-4 -- linux-kernel-2.4.18 -- several vulnerabilities
    2016-07-01
    oval:org.opensuse.security:def:20030501
    V
    		CVE-2003-0501
    2015-11-16
    oval:org.debian:def:358
    V
    		several vulnerabilities
    2013-01-21
    oval:org.mitre.oval:def:328
    V
    		Linux Kernel /proc/self setuid Vulnerability
    2007-04-25
    oval:org.debian:def:423
    V
    		several vulnerabilities
    2004-01-15
    BACK
    linux linux kernel 2.6.20.1
    linux linux kernel 2.6.20.1
    redhat linux 7.1
    suse suse linux 7.2
    redhat linux 7.2
    suse suse linux 7.3
    engardelinux secure linux -
    suse suse linux firewall *
    suse suse linux database server *
    suse suse email server iii
    suse suse linux connectivity server *
    suse suse linux 8.0
    conectiva linux 8.0
    redhat linux 7.3
    debian debian linux 3.0
    engardelinux secure professional -
    suse suse linux office server *
    redhat linux 8.0
    suse suse email server 3.1
    suse suse linux 8.1
    suse linux enterprise server 8
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat linux 9.0
    suse suse linux 8.2
    redhat enterprise linux 2.1
    conectiva linux 9.0
    redhat linux advanced workstation 2.1