[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248268

 
 

909

 
 

195051

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2009-4411Date: (C)2009-12-24   (M)2023-12-22


The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 3.7
Exploit Score: 1.9
Impact Score: 6.4
 
CVSS V2 Metrics:
Access Vector: LOCAL
Access Complexity: HIGH
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: PARTIAL
  
Reference:
BID-37455
SECUNIA-37907
SECUNIA-38420
OSVDB-61302
MDVSA-2009:345
SUSE-SR:2010:002
http://www.openwall.com/lists/oss-security/2009/12/23/2
acl-setfacl-getfacl-symlink(55004)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076
http://git.savannah.gnu.org/cgit/acl.git/commit/?id=63451a0
http://oss.sgi.com/bugzilla/show_bug.cgi?id=790

CWE    1
CWE-264
OVAL    1
oval:org.secpod.oval:def:300786

© SecPod Technologies