{"containers": {"cna": {"affected": [{"product": "kernel", "vendor": "Linux Kernel", "versions": [{"status": "affected", "version": "before 5.9-rc4"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-131", "description": "CWE-131", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-15T22:06:09", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14385"}, {"name": "[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"}, {"name": "openSUSE-SU-2020:1586", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html"}, {"name": "USN-4576-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4576-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-14385", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "kernel", "version": {"version_data": [{"version_value": "before 5.9-rc4"}]}}]}, "vendor_name": "Linux Kernel"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability."}]}, "impact": {"cvss": [[{"vectorString": "5.5/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-131"}]}]}, "references": {"reference_data": [{"name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933", "refsource": "MISC", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14385", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14385"}, {"name": "[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"}, {"name": "openSUSE-SU-2020:1586", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html"}, {"name": "USN-4576-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4576-1/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:46:34.096Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14385"}, {"name": "[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"}, {"name": "openSUSE-SU-2020:1586", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html"}, {"name": "USN-4576-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4576-1/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14385", "datePublished": "2020-09-15T21:14:53", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:46:34.096Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9CA5EDA-9CA4-49FA-AF86-7B150825868E", "versionEndExcluding": "5.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9.0:-:*:*:*:*:*:*", "matchCriteriaId": "B2C150C3-165E-42D6-80D4-87B11340B08C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "21F51360-AF61-433B-9FD9-D7DE742FABF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "AFF43A64-F1B2-49B5-9B1A-3C5287E30CC7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "7CD5DFA0-15FB-44C2-8C2F-DCABACB998B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en el kernel de Linux versiones anteriores a 5.9-rc4. Un fallo en el comprobador de metadatos del sistema de archivos en XFS puede causar que un inodo con un atributo extendido v\u00e1lido creado por el usuario sea marcado como corrupto. Esto puede conllevar que el sistema de archivos sea apagado o se vuelva inaccesible hasta que se vuelva a montar, conllevando una denegaci\u00f3n de servicio. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema"}], "id": "CVE-2020-14385", "lastModified": "2023-11-07T03:17:12.303", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 4.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2020-09-15T22:15:13.223", "references": [{"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14385"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4576-1/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-131"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-131"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Dr. David Alan Gilbert (redhat.com) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:5441", "cpe": "cpe:/a:redhat:rhel_extras_rt:7", "package": "kernel-rt-0:3.10.0-1160.11.1.rt56.1145.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-12-15T00:00:00Z"}, {"advisory": "RHSA-2020:5050", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-11-10T00:00:00Z"}, {"advisory": "RHSA-2020:5437", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kernel-0:3.10.0-1160.11.1.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-12-15T00:00:00Z"}, {"advisory": "RHSA-2020:4289", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-193.28.1.rt13.77.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4286", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-193.28.1.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4331", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-10-26T00:00:00Z"}, {"advisory": "RHSA-2020:5199", "cpe": "cpe:/o:redhat:rhel_e4s:8.0", "package": "kernel-0:4.18.0-80.31.1.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-11-24T00:00:00Z"}, {"advisory": "RHSA-2020:4287", "cpe": "cpe:/o:redhat:rhel_eus:8.1", "package": "kernel-0:4.18.0-147.32.1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-10-20T00:00:00Z"}, {"advisory": "RHSA-2020:4332", "cpe": "cpe:/o:redhat:rhel_eus:8.1", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-10-26T00:00:00Z"}], "bugzilla": {"description": "kernel: metadata validator in XFS may cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt", "id": "1874800", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1874800"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.", "A flaw was found in the Linux kernel. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2020-14385", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-alt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise MRG 2"}], "public_date": "2020-08-25T09:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14385\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14385\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933"], "statement": "Only local users, including unprivileged users in a cointainer, can trigger this flaw. However, the impact could be high, especially on multi-tenant systems, because after the attack the system rendered inaccessible for some time (at least until reboot), so the impact has been increased to Important.", "threat_severity": "Important", "upstream_fix": "Linux kernel 5.9-rc4"}