Vulnerability CVE-2017-18240


Published: 2018-03-18   Modified: 2018-03-19

Description:
The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownership of PID file directory to the collectd account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL (when the service is stopped).

Type:

CWE-20

(Improper Input Validation)

CVSS2 => (AV:L/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.9/10
6.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete
Affected software
Collectd -> Collectd 

 References:
http://www.securityfocus.com/bid/103469
https://bugs.gentoo.org/628540
https://security.gentoo.org/glsa/201803-10

Copyright 2024, cxsecurity.com

 

Back to Top