CVE-2006-2607

9 documents8 sources

Severity

7.2HIGH

EPSS

0.0%

top 86.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Paul Vixie Vixie Cron

Timeline

PublishedMay 25

Latest updateMay 1

Description

do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages2 packages

▶NVDpaul_vixie/vixie_cron4.1

▶Debiancron< 3.0pl1-64+3

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-m6pc-rv4c-hqmg: do_command↗2022-05-01

▶

CVEList

CVE-2006-2607: do_command↗2006-05-25

▶

OSV

CVE-2006-2607: do_command↗2006-05-25

▶

📋Vendor Advisories

Ubuntu

cron vulnerability↗2009-06-01

▶

Red Hat

Jobs start from root when pam_limits enabled↗2006-01-20

▶

Debian

CVE-2006-2607: cron - do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a ...↗2006

▶

💬Community

Bugzilla

CVE-2006-2607 Jobs start from root when pam_limits enabled↗2006-05-25

▶

Bugzilla

CVE-2006-2607 Jobs start from root when pam_limits enabled↗2006-01-20

▶