CVE-2007-5159
published 2007-10-01CVE-2007-5159: The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g package in Ubuntu 7.10/Gutsy, assign incorrect permissions (setuid root) to mount.ntfs-3g…
PriorityP416medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EPSS
0.35%
27.3th percentile
The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g package in Ubuntu 7.10/Gutsy, assign incorrect permissions (setuid root) to mount.ntfs-3g, which allows local users with fuse group membership to read from and write to arbitrary block devices, possibly involving a file descriptor leak.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ntfs-3g | < ntfs-3g 1:1.913-2 (bookworm) | ntfs-3g 1:1.913-2 (bookworm) |
| ntfs-3g | ntfs-3g | <= 1.913-1.fc7 | — |
| tuxera | ntfs-3g | >= 0 < 1:1.913-2 | 1:1.913-2 |
| tuxera | ntfs-3g | >= 0 < 1:1.913-2 | 1:1.913-2 |
| tuxera | ntfs-3g | >= 0 < 1:1.913-2 | 1:1.913-2 |
| tuxera | ntfs-3g | >= 0 < 1:1.913-2 | 1:1.913-2 |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv4.6MEDIUM
vendor_debian4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r584-r284-xhg9: The ntfs-3g package before 1
ghsa_unreviewed·2022-05-01
CVE-2007-5159 [MEDIUM] GHSA-r584-r284-xhg9: The ntfs-3g package before 1
The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g package in Ubuntu 7.10/Gutsy, assign incorrect permissions (setuid root) to mount.ntfs-3g, which allows local users with fuse group membership to read from and write to arbitrary block devices, possibly involving a file descriptor leak.
OSV
CVE-2007-5159: The ntfs-3g package before 1
osv·2007-10-01·CVSS 4.6
CVE-2007-5159 [MEDIUM] CVE-2007-5159: The ntfs-3g package before 1
The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g package in Ubuntu 7.10/Gutsy, assign incorrect permissions (setuid root) to mount.ntfs-3g, which allows local users with fuse group membership to read from and write to arbitrary block devices, possibly involving a file descriptor leak.
Debian
CVE-2007-5159: ntfs-3g - The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g package in Ub...
vendor_debian·2007·CVSS 4.6
CVE-2007-5159 [MEDIUM] CVE-2007-5159: ntfs-3g - The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g package in Ub...
The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g package in Ubuntu 7.10/Gutsy, assign incorrect permissions (setuid root) to mount.ntfs-3g, which allows local users with fuse group membership to read from and write to arbitrary block devices, possibly involving a file descriptor leak.
Scope: local
bookworm: resolved (fixed in 1:1.913-2)
bullseye: resolved (fixed in 1:1.913-2)
forky: resolved (fixed in 1:1.913-2)
sid: resolved (fixed in 1:1.913-2)
trixie: resolved (fixed in 1:1.913-2)
No detection rules found.
No public exploits indexed.
CWE
Improper Privilege Management
mitre_cwe
CWE-269 Improper Privilege Management
CWE-269: Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Operation
Common Consequences:
Scope: Access Control. Impact: Gain Privileges or Assume Identity.
Detection Methods:
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and contro
CWE
Execution with Unnecessary Privileges
mitre_cwe
CWE-250 Execution with Unnecessary Privileges
CWE-250: Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Installation
Phase: Architecture and Design
Note: If an application has this design problem, then it can be easier for the developer to make implementation-related errors such as CWE-271 (Privilege Dropping / Lowering Errors). In addition, the consequences of Privilege Chaining (CWE-268) can become more severe.
Phase: Operation
Common Consequences:
Scope: Confidentiality, Integrity, Availability, Access Contro
http://secunia.com/advisories/26938https://bugzilla.redhat.com/show_bug.cgi?id=298651https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00163.htmlhttps://www.redhat.com/archives/fedora-package-announce/2007-September/msg00368.htmlhttp://secunia.com/advisories/26938https://bugzilla.redhat.com/show_bug.cgi?id=298651https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00163.htmlhttps://www.redhat.com/archives/fedora-package-announce/2007-September/msg00368.html
2007-10-01
Published