CVE-2009-0115

CWE-732 — Incorrect Permission Assignment8 documents7 sources

Severity

7.8HIGH

EPSS

0.1%

top 75.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Juniper Ctpview Opensuse Opensuse Avaya Intuity Audix LX +7 more

Timeline

PublishedMar 30

Latest updateMay 2

Description

The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages9 packages

▶NVDsuse/linux_enterprise_server10, 9+1

▶Debianmultipath-tools< 0.4.8-15+3

▶NVDsuse/linux_enterprise_desktop9

▶NVDchristophe.varoqui/multipath-tools0.4.8

▶NVDopensuse/opensuse10.3 — 11.0

Also affects: Debian Linux 4.0, 5.0, Fedora 10, 9

🔴Vulnerability Details

GHSA

GHSA-m58q-qh36-cwx8: The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0↗2022-05-02

▶

OSV

CVE-2009-0115: The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0↗2009-03-30

▶

CVEList

CVE-2009-0115: The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0↗2009-03-30

▶

📋Vendor Advisories

Red Hat

device-mapper-multipath: insecure permissions on multipathd.sock↗2009-03-24

▶

Debian

CVE-2009-0115: multipath-tools - The Device Mapper multipathing driver (aka multipath-tools or device-mapper-mult...↗2009

▶

💬Community

Bugzilla

CVE-2010-0277 pidgin MSN protocol plugin memory corruption↗2010-01-11

▶

Bugzilla

CVE-2009-0115 device-mapper-multipath: insecure permissions on multipathd.sock↗2009-04-01

▶