Vulnerability CVE-2011-4578

Vulnerability Name:

CVE-2011-4578 (CCN-71661)

Assigned:

2011-12-06

Published:

2011-12-06

Updated:

2013-04-05

Summary:

event.c in acpid (aka acpid2) before 2.0.11 does not have an appropriate umask setting during execution of event-handler scripts, which might allow local users to (1) perform write operations within directories created by a script, or (2) read files created by a script, via standard filesystem system calls.

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Obtain Information

References:

Source: CCN
Type: SourceForge.net Web site
acpid - the ACPI event daemon

Source: MITRE
Type: CNA
CVE-2011-4578

Source: CCN
Type: SA47071
acpid Event Scripts Insecure umask Security Issue

Source: CONFIRM
Type: UNKNOWN
http://sourceforge.net/u/tedfelix/acpid2/ci/02d0bf29207f17996936ab652717855b15873901/tree/Changelog?force=True

Source: DEBIAN
Type: DSA-2362
acpid -- several vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2012:138

Source: CCN
Type: oss-security Mailing List, Tue, 6 Dec 2011 21:39:49 +0100
acpid

Source: MLIST
Type: UNKNOWN
[oss-security] 20111206 Re: CVE request: acpid

Source: CCN
Type: OSVDB ID: 77557
acpid Event Scripts Insecure umask Local Information Disclosure

Source: CCN
Type: BID-50945
acpid Event Scripts Local Information Disclosure Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=760984

Source: XF
Type: UNKNOWN
acpid-umask-info-disclosure(71661)

Vulnerable Configuration:

Configuration 1:

cpe:/a:tedfelix:acpid2:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:2.0.5:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:2.0.6:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:2.0.7:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:2.0.8:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:2.0.9:*:*:*:*:*:*:*

OR cpe:/a:tedfelix:acpid2:*:*:*:*:*:*:*:* (Version <= 2.0.10)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20114578	V	CVE-2011-4578	2022-05-20
oval:org.opensuse.security:def:42267	P	Security update for dnsmasq (Important)	2022-04-22
oval:org.opensuse.security:def:26186	P	Security update for libqt4 (Important)	2021-12-22
oval:org.opensuse.security:def:31327	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)	2021-12-14
oval:org.opensuse.security:def:31328	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-12-14
oval:org.opensuse.security:def:33042	P	Security update for MozillaFirefox (Important)	2021-11-17
oval:org.opensuse.security:def:32211	P	Security update for transfig (Important)	2021-10-29
oval:org.opensuse.security:def:31694	P	Security update for util-linux (Moderate)	2021-10-19
oval:org.opensuse.security:def:26142	P	Security update for apache2 (Important)	2021-10-06
oval:org.opensuse.security:def:26128	P	Security update for postgresql13 (Moderate)	2021-09-16
oval:org.opensuse.security:def:33003	P	Security update for postgresql13 (Moderate)	2021-09-16
oval:org.opensuse.security:def:32155	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-07-27
oval:org.opensuse.security:def:32147	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-07-21
oval:org.opensuse.security:def:26089	P	Security update for MozillaFirefox (Important)	2021-07-16
oval:org.opensuse.security:def:31637	P	Security update for ucode-intel (Important)	2021-06-10
oval:org.opensuse.security:def:42486	P	acpid-1.0.6-91.25.20 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36079	P	acpid-1.0.6-91.25.20 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:31631	P	Security update for gstreamer-plugins-bad (Important)	2021-06-07
oval:org.opensuse.security:def:32103	P	Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)	2021-06-04
oval:org.opensuse.security:def:32081	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)	2021-04-28
oval:org.opensuse.security:def:26040	P	Security update for gdm (Important)	2021-04-28
oval:org.opensuse.security:def:26205	P	Security update for openssl-1_0_0 (Moderate)	2021-03-08
oval:org.opensuse.security:def:32260	P	Security update for java-1_7_1-ibm (Important)	2021-02-18
oval:org.opensuse.security:def:31339	P	Security update for the Linux Kernel (Important)	2021-02-12
oval:org.opensuse.security:def:26054	P	Security update for flac (Moderate)	2021-01-04
oval:org.opensuse.security:def:32824	P	Security update for xen (Important)	2020-12-07
oval:org.opensuse.security:def:35860	P	acpid-1.0.6-91.25.20 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:25970	P	Security update for gdm (Important)	2020-12-03
oval:org.opensuse.security:def:31557	P	Security update for python-setuptools (Important)	2020-12-02
oval:org.opensuse.security:def:31763	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:32321	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:25411	P	Security update for u-boot (Important)	2020-12-01
oval:org.opensuse.security:def:26258	P	Security update for openconnect (Moderate)	2020-12-01
oval:org.opensuse.security:def:31781	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:31855	P	Security update for crash (Low)	2020-12-01
oval:org.opensuse.security:def:32365	P	Security update for supportutils (Moderate)	2020-12-01
oval:org.opensuse.security:def:25422	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:26307	P	Security update for conntrack-tools (Moderate)	2020-12-01
oval:org.opensuse.security:def:25628	P	Security update for dpdk (Critical)	2020-12-01
oval:org.opensuse.security:def:31937	P	Security update for glibc (Moderate)	2020-12-01
oval:org.opensuse.security:def:31912	P	Security update for gcc43 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25695	P	Security update for gcc9 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25486	P	Security update for openssl-1_1 (Important)	2020-12-01
oval:org.opensuse.security:def:26346	P	Security update for irssi (Moderate)	2020-12-01
oval:org.opensuse.security:def:25629	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:31993	P	Security update for java-1_7_1-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:31999	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:25752	P	Security update for libreoffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:26824	P	sudo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25614	P	Security update for perl-DBI (Important)	2020-12-01
oval:org.opensuse.security:def:26360	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:25640	P	Security update for libqt5-qtsvg (Moderate)	2020-12-01
oval:org.opensuse.security:def:32042	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25836	P	Security update for LibreOffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:26859	P	acpid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25913	P	Security update for tcpdump, libpcap (Moderate)	2020-12-01
oval:org.opensuse.security:def:26404	P	Security update for irssi (Moderate)	2020-12-01
oval:org.opensuse.security:def:25704	P	Security update for ppp (Important)	2020-12-01
oval:org.opensuse.security:def:25987	P	Security update for the Linux Kernel (Critical)	2020-12-01
oval:org.opensuse.security:def:27042	P	taglib on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25832	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:31545	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:27077	P	acpid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31413	P	Security update for php53 (Important)	2020-12-01
oval:org.opensuse.security:def:32299	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:31546	P	Security update for sane-backends (Moderate)	2020-12-01
oval:org.opensuse.security:def:25410	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:32785	P	squid on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:15207	P	USN-1296-1 -- acpid vulnerabilities	2014-06-30
oval:org.mitre.oval:def:15149	P	DSA-2362-1 acpid -- several	2014-06-23

BACK