CVE-2019-3461 - OpenCVE

Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a (bind) mount via rename() which could result in local privilege escalation. Mounting via rename() could potentially lead to a file being placed elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. Fixed versions include 1.6.13+nmu1+deb9u1 and 1.6.14.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux Tmpreaper

Configuration 1 [-]

cpe:2.3:a:debian:tmpreaper:1.6.13\+nmu1:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956
https://lists.debian.org/debian-lts-announce/2019/01/msg00017.html
https://lists.debian.org/debian-security-announce/2019/msg00003.html
https://usn.ubuntu.com/4077-1/

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2019-02-04T18:00:00Z

Updated: 2024-09-16T22:56:42.618Z

Reserved: 2018-12-31T00:00:00

Link: CVE-2019-3461

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-02-04T18:29:00.247

Modified: 2019-07-29T20:15:12.513

Link: CVE-2019-3461

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "tmpreaper", "vendor": "Debian GNU/Linux", "versions": [{"status": "affected", "version": "1.6.13+nmu1"}]}], "datePublic": "2019-01-10T00:00:00", "descriptions": [{"lang": "en", "value": "Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a (bind) mount via rename() which could result in local privilege escalation. Mounting via rename() could potentially lead to a file being placed elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. Fixed versions include 1.6.13+nmu1+deb9u1 and 1.6.14."}], "problemTypes": [{"descriptions": [{"description": "Local privilege escalation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-29T19:06:06", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"name": "[debian-lts-announce] 20190124 [SECURITY] [DLA 1640-1] tmpreaper security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00017.html"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956"}, {"name": "DSA-4365", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://lists.debian.org/debian-security-announce/2019/msg00003.html"}, {"name": "USN-4077-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4077-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "DATE_PUBLIC": "2019-01-10T00:00:00", "ID": "CVE-2019-3461", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tmpreaper", "version": {"version_data": [{"version_value": "1.6.13+nmu1"}]}}]}, "vendor_name": "Debian GNU/Linux"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a (bind) mount via rename() which could result in local privilege escalation. Mounting via rename() could potentially lead to a file being placed elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. Fixed versions include 1.6.13+nmu1+deb9u1 and 1.6.14."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Local privilege escalation"}]}]}, "references": {"reference_data": [{"name": "[debian-lts-announce] 20190124 [SECURITY] [DLA 1640-1] tmpreaper security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00017.html"}, {"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956", "refsource": "MISC", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956"}, {"name": "DSA-4365", "refsource": "DEBIAN", "url": "https://lists.debian.org/debian-security-announce/2019/msg00003.html"}, {"name": "USN-4077-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4077-1/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:12:09.521Z"}, "title": "CVE Program Container", "references": [{"name": "[debian-lts-announce] 20190124 [SECURITY] [DLA 1640-1] tmpreaper security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00017.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956"}, {"name": "DSA-4365", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://lists.debian.org/debian-security-announce/2019/msg00003.html"}, {"name": "USN-4077-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4077-1/"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2019-3461", "datePublished": "2019-02-04T18:00:00Z", "dateReserved": "2018-12-31T00:00:00", "dateUpdated": "2024-09-16T22:56:42.618Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:tmpreaper:1.6.13\\+nmu1:*:*:*:*:*:*:*", "matchCriteriaId": "375E8A83-2793-4AAA-8C1E-DFB9ACD1A655", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a (bind) mount via rename() which could result in local privilege escalation. Mounting via rename() could potentially lead to a file being placed elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. Fixed versions include 1.6.13+nmu1+deb9u1 and 1.6.14."}, {"lang": "es", "value": "Debian tmpreaper, en su versi\u00f3n 1.6.13+nmu1, tiene una condici\u00f3n de carrera al realizar un montaje (bind) mediante rename(), lo que podr\u00eda resultar en el escalado de privilegios local. El montaje mediante rename() podr\u00eda conducir a que un archivo se coloque en otro lugar de la jerarqu\u00eda del sistema de archivos (p.ej., /etc/cron.d/) si el directorio que se est\u00e1 limpiando est\u00e1 en el mismo sistema de archivos f\u00edsico. Las versiones solucionadas incluyen la 1.6.13+nmu1+deb9u1 y la 1.6.14."}], "id": "CVE-2019-3461", "lastModified": "2019-07-29T20:15:12.513", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-04T18:29:00.247", "references": [{"source": "security@debian.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956"}, {"source": "security@debian.org", "tags": ["Vendor Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00017.html"}, {"source": "security@debian.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.debian.org/debian-security-announce/2019/msg00003.html"}, {"source": "security@debian.org", "url": "https://usn.ubuntu.com/4077-1/"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}