Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2013-4419 | First vendor Publication | 2013-11-05 |
Vendor | Cve | Last vendor Modification | 2018-12-13 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:A/AC:H/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Adjacent network |
Cvss Impact Score | 10 | Attack Complexity | High |
Cvss Expoit Score | 3.2 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using the --remote or --listen option, does not properly check the ownership of /tmp/.guestfish-$UID/ when creating a temporary socket file in this directory, which allows local users to write to the socket and execute arbitrary commands by creating /tmp/.guestfish-$UID/ in advance. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4419 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:25432 | |||
Oval ID: | oval:org.mitre.oval:def:25432 | ||
Title: | SUSE-SU-2013:1626-1 -- Security update for guestfs | ||
Description: | A predictable socketname in the guestfish commandline tool could be used by a local attacker to gain access to guestfish sessions of other users on the same system. (CVE-2013-4419) Security Issue reference: * CVE-2013-4419 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4419 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1626-1 CVE-2013-4419 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | guestfs |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27187 | |||
Oval ID: | oval:org.mitre.oval:def:27187 | ||
Title: | RHSA-2013:1536 -- libguestfs security, bug fix, and enhancement update (Moderate) | ||
Description: | Libguestfs is a library and set of tools for accessing and modifying guest disk images. It was found that guestfish, which enables shell scripting and command line access to libguestfs, insecurely created the temporary directory used to store the network socket when started in server mode. A local attacker could use this flaw to intercept and modify other user's guestfish command, allowing them to perform arbitrary guestfish actions with the privileges of a different user, or use this flaw to obtain authentication credentials. (CVE-2013-4419) This issue was discovered by Michael Scherer of the Red Hat Regional IT team. These updated libguestfs packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical Notes, linked to in the References, for information on the most significant of these changes. All libguestfs users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1536 CESA-2013:1536 CVE-2013-4419 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | libguestfs |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-11-12 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1536.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-1527.nasl - Type : ACT_GATHER_INFO |
2013-12-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131121_libguestfs_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-11-29 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1536.nasl - Type : ACT_GATHER_INFO |
2013-11-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1536.nasl - Type : ACT_GATHER_INFO |
2013-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-19553.nasl - Type : ACT_GATHER_INFO |
2013-11-05 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_guestfs-data-131024.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote Fedora host is missing a security update. File : fedora_2013-19452.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote Fedora host is missing a security update. File : fedora_2013-19492.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
Date | Informations |
---|---|
2024-02-02 01:24:10 |
|
2024-02-01 12:07:13 |
|
2023-09-05 12:22:50 |
|
2023-09-05 01:07:07 |
|
2023-09-02 12:22:52 |
|
2023-09-02 01:07:12 |
|
2023-08-22 12:20:36 |
|
2022-10-11 01:06:53 |
|
2021-05-04 12:27:18 |
|
2021-04-22 01:33:04 |
|
2020-05-23 00:38:01 |
|
2019-06-07 12:05:22 |
|
2018-12-13 21:19:35 |
|
2017-01-26 12:04:19 |
|
2016-06-28 19:39:44 |
|
2016-04-26 23:33:13 |
|
2015-01-14 21:24:01 |
|
2014-11-13 13:26:54 |
|
2014-11-08 13:31:08 |
|
2014-02-17 11:22:10 |
|
2013-12-08 13:19:36 |
|
2013-12-01 13:19:11 |
|
2013-11-06 21:28:10 |
|
2013-11-06 13:30:08 |
|