Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-732
Total 1004 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-18285 2 Burp Project, Gentoo 2 Burp, Linux 2019-10-02 3.6 LOW 7.1 HIGH
The Gentoo app-backup/burp package before 2.1.32 has incorrect group ownership of the /etc/burp directory, which might allow local users to obtain read and write access to arbitrary files by leveraging access to a certain account for a burp-server.conf change.
CVE-2017-18284 2 Burp Project, Gentoo 2 Burp, Linux 2019-10-02 3.6 LOW 7.1 HIGH
The Gentoo app-backup/burp package before 2.1.32 sets the ownership of the PID file directory to the burp account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL.
CVE-2017-18226 2 Gentoo, Jabberd2 2 Linux, Jabberd2 2019-10-02 2.1 LOW 5.5 MEDIUM
The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of /var/run/jabber to the jabber account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script executes a "kill -TERM `cat /var/run/jabber/filename.pid`" command.
CVE-2017-18225 2 Gentoo, Jabberd2 2 Linux, Jabberd2 2019-10-02 4.6 MEDIUM 7.8 HIGH
The Gentoo net-im/jabberd2 package through 2.6.1 installs jabberd, jabberd2-c2s, jabberd2-router, jabberd2-s2s, and jabberd2-sm in /usr/bin owned by the jabber account, which might allow local users to gain privileges by leveraging access to this account and then waiting for root to execute one of these programs.
CVE-2017-17867 1 Intenogroup 1 Iopsys 2019-10-02 9.0 HIGH 8.8 HIGH
Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated users to execute arbitrary OS commands by modifying the leasetrigger field in the odhcpd configuration to specify an arbitrary program, as demonstrated by a program located on an SMB share. This issue existed because the /etc/uci-defaults directory was not being used to secure the OpenWrt configuration.
CVE-2017-17568 1 Scubez 1 Posty Readymade Classifieds 2019-10-02 5.0 MEDIUM 7.5 HIGH
Scubez Posty Readymade Classifieds has Incorrect Access Control for visiting admin/user_activate_submit.php (aka the backend PHP script), which might allow remote attackers to obtain sensitive information via a direct request.
CVE-2017-1716 1 Ibm 1 Tivoli Workload Scheduler 2019-10-02 2.1 LOW 3.3 LOW
IBM Tivoli Workload Scheduler 8.6.0, 9.1.0, and 9.2.0 could disclose sensitive information to a local attacker due to improper permission settings. IBM X-Force ID: 134638.
CVE-2017-16933 1 Icinga 1 Icinga 2019-10-02 6.9 MEDIUM 7.0 HIGH
etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_USER account for creation of a link.
CVE-2017-16885 1 Fiberhome 2 Lm53q1, Lm53q1 Firmware 2019-10-02 5.0 MEDIUM 9.8 CRITICAL
Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R05C01S38 devices (intended for obtaining information about Internet Usage, Changing Passwords, etc.) allows remote attackers to look for the information without authenticating. The information includes Version of device, Firmware ID, Connected users to device along their MAC Addresses, etc.
CVE-2017-16834 1 Pnp4nagios 1 Pnp4nagios 2019-10-02 7.2 HIGH 7.8 HIGH
PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an unprivileged account but root code execution depends on these files, which allows local users to gain privileges by leveraging access to this unprivileged account.
CVE-2017-16638 1 Vde Project 1 Vde 2019-10-02 10.0 HIGH 9.8 CRITICAL
The Gentoo net-misc/vde package before version 2.3.2-r4 may allow members of the "qemu" group to gain root privileges by creating a hard link in a directory on which "chown" is called recursively by the OpenRC service script.
CVE-2017-15945 3 Gentoo, Mariadb, Mysql 3 Linux, Mariadb, Mysql 2019-10-02 7.2 HIGH 7.8 HIGH
The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link.
CVE-2017-15877 1 Sistemagpweb 1 Gpweb 2019-10-02 5.0 MEDIUM 9.8 CRITICAL
Insecure Permissions vulnerability in db.php file in GPWeb 8.4.61 allows remote attackers to view the password and user database.
CVE-2017-15611 1 Octopus 1 Octopus Deploy 2019-10-02 4.0 MEDIUM 6.5 MEDIUM
In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges.
CVE-2017-15352 1 Huawei 10 Oceanstor 2800, Oceanstor 2800 Firmware, Oceanstor 5300 and 7 more 2019-10-02 2.9 LOW 3.1 LOW
Huawei OceanStor 2800 V3, V300R003C00, V300R003C20, OceanStor 5300 V3, V300R003C00, V300R003C10, V300R003C20, OceanStor 5500 V3, V300R003C00, V300R003C10, V300R003C20, OceanStor 5600 V3, V300R003C00, V300R003C10, V300R003C20, OceanStor 5800 V3, V300R003C00, V300R003C10, V300R003C20 have an improper access control vulnerability. Due to incorrectly restrict access to a resource, an attacker with high privilege may exploit the vulnerability to query some information or send specific message to cause some service abnormal.
CVE-2017-14730 2 Elasticsearch, Gentoo 2 Logstash, Linux 2019-10-02 7.2 HIGH 7.8 HIGH
The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to a $LS_USER account for creation of a hard link.
CVE-2017-13236 1 Google 1 Android 2019-10-02 4.6 MEDIUM 7.8 HIGH
In the KeyStore service, there is a permissions bypass that allows access to protected resources. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-68217699.
CVE-2017-13168 2 Canonical, Google 2 Ubuntu Linux, Android 2019-10-02 4.6 MEDIUM 7.8 HIGH
An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android kernel. Android ID A-65023233.
CVE-2017-1266 1 Ibm 1 Security Guardium 2019-10-02 5.5 MEDIUM 5.4 MEDIUM
IBM Security Guardium 10.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 124741.
CVE-2017-11437 1 Gitlab 1 Gitlab 2019-10-02 4.0 MEDIUM 6.5 MEDIUM
GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 allows an authenticated user with the ability to create a project to use the mirroring feature to potentially read repositories belonging to other users.