| Vulnerability Name: | CVE-2021-20239 (CCN-195800) |
| Assigned: | 2020-12-17 |
| Published: | 2021-01-29 |
| Updated: | 2022-08-05 |
| Summary: | A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality. |
| CVSS v3 Severity: | 3.3 Low (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.9 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): Low
Integrity (I): None
Availibility (A): None |
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None | | Scope: | Scope (S): Changed
| | Impact Metrics: | Confidentiality (C): High
Integrity (I): None
Availibility (A): None |
3.8 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
3.3 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None | | Scope: | Scope (S): Changed
| | Impact Metrics: | Confidentiality (C): Low
Integrity (I): None
Availibility (A): None |
|
| CVSS v2 Severity: | 2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)| Exploitability Metrics: | Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None |
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)| Exploitability Metrics: | Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
| | Impact Metrics: | Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None |
|
| Vulnerability Type: | CWE-119
CWE-200
|
| Vulnerability Consequences: | Obtain Information |
| References: | Source: MITRE
Type: CNA
CVE-2021-20239
Source: CCN
Type: Red Hat Bugzilla - Bug 1923636
(CVE-2021-20239) - CVE-2021-20239 kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure
Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1923636
Source: XF
Type: UNKNOWN
linux-kernel-setsockopt-info-disc(195800)
Source: CCN
Type: Linux Kernel Web site
The Linux Kernel Archives
Source: CCN
Type: ZDI-21-100
Linux Kernel setsockopt System Call Untrusted Pointer Dereference Information Disclosure Vulnerability
|
| Vulnerable Configuration: | Configuration 1:
cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:* (Version < 5.4.92)
Configuration 2:
cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*OR cpe:/o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Configuration 3:
cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Configuration RedHat 1:
cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
Configuration RedHat 2:
cpe:/a:redhat:enterprise_linux:8::nfv:*:*:*:*:*
Configuration RedHat 3:
cpe:/a:redhat:enterprise_linux:8::realtime:*:*:*:*:*
Configuration RedHat 4:
cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*
Configuration RedHat 5:
cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
Configuration RedHat 6:
cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*
Configuration CCN 1:
cpe:/o:linux:linux_kernel:5.4:-:*:*:*:*:*:*
 Denotes that component is vulnerable |
| Oval Definitions |
|
| BACK |