Vulnerability CVE-2013-6412

Vulnerability Name:

CVE-2013-6412 (CCN-90705)

Assigned:

2013-11-25

Published:

2013-11-25

Updated:

2014-01-23

Summary:

The transform_save function in transform.c in Augeas 1.0.0 through 1.1.0 does not properly calculate the permission values when the umask contains a "7," which causes world-writable permissions to be used for new files and allows local users to modify the files via unspecified vectors.

CVSS v3 Severity:

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

2.6 Low (REDHAT CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:P/A:N)
1.9 Low (REDHAT Temporal CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2013-6412

Source: CCN
Type: RHSA-2014-0044
Moderate: augeas security update

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0044

Source: CCN
Type: BID-65165
Augeas CVE-2013-6412 Insecure File Permissions Vulnerability

Source: CCN
Type: Red Hat Bugzilla Bug 1034261
(CVE-2013-6412) CVE-2013-6412 augeas: incorrect permissions set on newly created files

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=1034261

Source: XF
Type: UNKNOWN
augeas-cve20136412-insecure-permissions(90705)

Source: CCN
Type: Augeas GIT Repository
Fix regression in permissions of created files

Source: CONFIRM
Type: UNKNOWN
https://github.com/hercules-team/augeas/commit/f5b4fc0c

Source: CONFIRM
Type: UNKNOWN
https://github.com/hercules-team/augeas/pull/58

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-6412

Vulnerable Configuration:

Configuration 1:

cpe:/a:augeas:augeas:1.0.0:*:*:*:*:*:*:*

OR cpe:/a:augeas:augeas:1.1.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:augeas:augeas:1.0.0:*:*:*:*:*:*:*

OR cpe:/a:augeas:augeas:1.1.0:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_virtualization:3:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_workstation:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server_eus:6.5.z:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20136412	V	CVE-2013-6412	2022-05-20
oval:org.opensuse.security:def:33052	P	Security update for openexr (Moderate)	2021-12-01
oval:org.opensuse.security:def:55269	P	Security update for postgresql, postgresql13, postgresql14 (Important)	2021-11-20
oval:org.opensuse.security:def:32221	P	Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)	2021-11-19
oval:org.opensuse.security:def:33987	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:33013	P	Security update for gd (Moderate)	2021-09-23
oval:org.opensuse.security:def:55947	P	Security update for Mesa (Moderate)	2021-09-16
oval:org.opensuse.security:def:26126	P	Security update for Mesa (Moderate)	2021-09-16
oval:org.opensuse.security:def:32165	P	Security update for cpio (Important)	2021-08-23
oval:org.opensuse.security:def:33683	P	Security update for libsolv (Important)	2021-06-28
oval:org.opensuse.security:def:30095	P	Security update for xterm (Important)	2021-06-18
oval:org.opensuse.security:def:33929	P	Security update for freeradius-server (Moderate)	2021-06-11
oval:org.opensuse.security:def:42496	P	augeas-0.9.0-3.15.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36089	P	augeas-0.9.0-3.15.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36373	P	augeas-devel-0.9.0-3.15.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:29375	P	Security update for gstreamer-plugins-bad (Important)	2021-06-07
oval:org.opensuse.security:def:26064	P	Security update for libwebp (Critical)	2021-06-02
oval:org.opensuse.security:def:26215	P	Security update for openssl-1_1 (Important)	2021-03-25
oval:org.opensuse.security:def:30051	P	Security update for openssl (Moderate)	2021-03-24
oval:org.opensuse.security:def:55866	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP2) (Important)	2021-03-17
oval:org.opensuse.security:def:32270	P	Security update for wpa_supplicant (Important)	2021-03-09
oval:org.opensuse.security:def:26207	P	Security update for openssl-1_1 (Moderate)	2021-03-09
oval:org.opensuse.security:def:34036	P	Security update for openssl-1_0_0 (Moderate)	2021-03-08
oval:org.opensuse.security:def:33772	P	Security update for open-iscsi (Important)	2021-03-01
oval:org.opensuse.security:def:30032	P	Security update for MozillaFirefox (Important)	2021-03-01
oval:org.opensuse.security:def:31641	P	Security update for ImageMagick (Important)	2021-01-22
oval:org.opensuse.security:def:55828	P	Security update for dovecot22 (Important)	2021-01-04
oval:org.opensuse.security:def:33626	P	Security update for xen (Moderate)	2020-12-22
oval:org.opensuse.security:def:25980	P	Security update for MozillaFirefox (Critical)	2020-12-21
oval:org.opensuse.security:def:29304	P	Security update for openssl (Important)	2020-12-11
oval:org.opensuse.security:def:32009	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)	2020-12-07
oval:org.opensuse.security:def:29293	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:54997	P	python-requests on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55662	P	Security update for openldap2 (Important)	2020-12-01
oval:org.opensuse.security:def:54423	P	at on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54824	P	libHX28 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32331	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:34075	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:34822	P	Security update for augeas	2020-12-01
oval:org.opensuse.security:def:33314	P	mailx-openssl1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26356	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:27087	P	augeas on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25650	P	Security update for SDL (Moderate)	2020-12-01
oval:org.opensuse.security:def:26264	P	Security update for gegl (Moderate)	2020-12-01
oval:org.opensuse.security:def:26601	P	libsamplerate on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27336	P	xorg-x11-libs-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25923	P	Security update for util-linux (Moderate)	2020-12-01
oval:org.opensuse.security:def:26542	P	evolution-data-server on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26887	P	ed on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27033	P	star on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26257	P	Security update for icu (Moderate)	2020-12-01
oval:org.opensuse.security:def:26461	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:27762	P	Security update for gtk2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27917	P	Security update for xorg-x11-libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27260	P	pango on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29736	P	Security update for freeradius-server (Moderate)	2020-12-01
oval:org.opensuse.security:def:30770	P	Security update for augeas	2020-12-01
oval:org.opensuse.security:def:55103	P	expat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55754	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:57223	P	Security update for hplip	2020-12-01
oval:org.opensuse.security:def:54424	P	augeas on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31865	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:32375	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:31555	P	Security update for sqlite3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31773	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:34100	P	Security update for mipv6d	2020-12-01
oval:org.opensuse.security:def:33395	P	Security update for SUSE Manager Client Tools (Moderate)	2020-12-01
oval:org.opensuse.security:def:26370	P	Security update for mbedtls (Important)	2020-12-01
oval:org.opensuse.security:def:25714	P	Security update for libpng16 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26348	P	Security update for SDL2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26640	P	sudo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27371	P	augeas-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25934	P	Security update for the Linux kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26599	P	libpython2_6-1_0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26936	P	ldapsmb on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27671	P	Security update for rubygem-rdoc	2020-12-01
oval:org.opensuse.security:def:26258	P	Security update for openconnect (Moderate)	2020-12-01
oval:org.opensuse.security:def:27470	P	libpcp3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27815	P	Security update for libsndfile (Moderate)	2020-12-01
oval:org.opensuse.security:def:27961	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:27184	P	libfreebl3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27388	P	dbus-1-glib-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29889	P	Security update for SUSE Linux Enterprise Server 11 SP1 Kernel for Teradata (Important)	2020-12-01
oval:org.opensuse.security:def:57297	P	Security update for augeas	2020-12-01
oval:org.opensuse.security:def:54446	P	curl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31922	P	Security update for ghostscript-library (Important)	2020-12-01
oval:org.opensuse.security:def:31556	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:34144	P	Security update for openldap2	2020-12-01
oval:org.opensuse.security:def:33302	P	xorg-x11-libxcb-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33530	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:26268	P	Security update for libreoffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:26414	P	Security update for python-Django (Moderate)	2020-12-01
oval:org.opensuse.security:def:25638	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:25842	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26499	P	Security update for chromium, re2 (Important)	2020-12-01
oval:org.opensuse.security:def:26654	P	xpdf-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25998	P	Security update for libreoffice (Important)	2020-12-01
oval:org.opensuse.security:def:26683	P	dbus-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26975	P	libtiff3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27706	P	Security update for augeas	2020-12-01
oval:org.opensuse.security:def:26269	P	Security update for python3-requests (Moderate)	2020-12-01
oval:org.opensuse.security:def:27527	P	openslp-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27864	P	Security update for python	2020-12-01
oval:org.opensuse.security:def:28599	P	Security update for strongswan	2020-12-01
oval:org.opensuse.security:def:27185	P	libgcc_s1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29593	P	Security update for ark	2020-12-01
oval:org.opensuse.security:def:29944	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:29292	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:29506	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:55554	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:54586	P	libpng15-15 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32309	P	Security update for quagga (Moderate)	2020-12-01
oval:org.opensuse.security:def:31567	P	Security update for squid3 (Important)	2020-12-01
oval:org.opensuse.security:def:34782	P	Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:33303	P	xorg-x11-server-dmx on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26317	P	Security update for chromium (Moderate)	2020-12-01
oval:org.opensuse.security:def:27052	P	w3m on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25639	P	Security update for libqt5-qtimageformats (Moderate)	2020-12-01
oval:org.opensuse.security:def:26552	P	g3utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26698	P	foomatic-filters on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25922	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:26834	P	tomcat6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26989	P	man on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26333	P	Security update for redis (Moderate)	2020-12-01
oval:org.opensuse.security:def:27611	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:27903	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:28634	P	Security update for augeas	2020-12-01
oval:org.opensuse.security:def:27196	P	libmspack0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29650	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:29993	P	Security update for libtcnative-1-0 (Moderate)	2020-12-01
oval:org.opensuse.security:def:30733	P	Security update for OpenEXR (Moderate)	2020-12-01
oval:org.mitre.oval:def:25960	P	SUSE-SU-2014:1017-1 -- Security update for augeas	2014-10-27
oval:org.opensuse.security:def:79931	P	Security update for augeas	2014-07-30
oval:org.mitre.oval:def:24181	P	ELSA-2014:0044: augeas security update (Moderate)	2014-05-26
oval:org.mitre.oval:def:22025	P	RHSA-2014:0044: augeas security update (Moderate)	2014-05-12
oval:com.ubuntu.xenial:def:201364120000000	V	CVE-2013-6412 on Ubuntu 16.04 LTS (xenial) - low.	2014-01-23
oval:com.ubuntu.precise:def:20136412000	V	CVE-2013-6412 on Ubuntu 12.04 LTS (precise) - low.	2014-01-22
oval:com.ubuntu.trusty:def:20136412000	V	CVE-2013-6412 on Ubuntu 14.04 LTS (trusty) - low.	2014-01-22
oval:com.ubuntu.xenial:def:20136412000	V	CVE-2013-6412 on Ubuntu 16.04 LTS (xenial) - low.	2014-01-22
oval:com.redhat.rhsa:def:20140044	P	RHSA-2014:0044: augeas security update (Moderate)	2014-01-20

BACK