CVE-2010-2199 — RPM vulnerability

7 documents6 sources

Severity

7.2HIGHNVD

EPSS

0.0%

top 85.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RPM Debian RPM

Timeline

PublishedJun 8

Latest updateMay 17

Description

lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages2 packages

▶NVDrpm/rpm4.8.0+92

▶debiandebian/rpm

🔴Vulnerability Details

GHSA

GHSA-7v29-vf8p-2rvp: lib/fsm↗2022-05-17

▶

OSV

CVE-2010-2199: lib/fsm↗2010-06-08

▶

📋Vendor Advisories

Red Hat

rpm: fails to drop POSIX ACLs on package upgrade or removal↗2010-06-01

▶

Debian

CVE-2010-2199: rpm - lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an ex...↗2010

▶

💬Community

Bugzilla

CVE-2010-2199 rpm: fails to drop POSIX ACLs on package upgrade or removal↗2010-06-08

▶

Bugzilla

CVE-2010-2059 rpm: fails to drop SUID/SGID bits on package upgrade↗2010-06-02

▶