CVE-2013-4419

The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using the --remote or --listen option, does not properly check the ownership of /tmp/.guestfish-$UID/ when creating a temporary socket file in this directory, which allows local users to write to the socket and execute arbitrary commands by creating /tmp/.guestfish-$UID/ in advance.
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:libguestfs:libguestfs:*:*:*:*:*:*:*:*
cpe:2.3:a:libguestfs:libguestfs:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:sp3:*:*:*:*:*:*
cpe:2.3:a:suse:suse_linux_enterprise_software_development_kit:11.0:sp3:*:*:*:*:*:*

Information

Published : 2013-11-05 12:55

Updated : 2018-12-13 09:57


NVD link : CVE-2013-4419

Mitre link : CVE-2013-4419


JSON object : View

CWE
CWE-264

Permissions, Privileges, and Access Controls

Advertisement

dedicated server usa

Products Affected

suse

  • suse_linux_enterprise_software_development_kit

novell

  • suse_linux_enterprise_server

libguestfs

  • libguestfs