cbcvebase.
CVE-2006-2607
published 2006-05-25

CVE-2006-2607: do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid…

PriorityP427high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
0.56%
42.6th percentile
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.

Affected

6 ranges
VendorProductVersion rangeFixed in
cron_projectcron>= 0 < 3.0pl1-643.0pl1-64
cron_projectcron>= 0 < 3.0pl1-643.0pl1-64
cron_projectcron>= 0 < 3.0pl1-643.0pl1-64
cron_projectcron>= 0 < 3.0pl1-643.0pl1-64
debiancron< cron 3.0pl1-64 (bookworm)cron 3.0pl1-64 (bookworm)
paul_vixievixie_cron

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2MEDIUM
vendor_redhat7.2HIGH
vendor_ubuntu7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.