CVE-2012-0055
published 2020-02-19CVE-2012-0055: OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to…
PriorityP347high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.24%
65.5th percentile
OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| linux | linux_kernel | < 3.0.0 | 3.0.0 |
| linux_kernel | overlayfs | — | — |
| linux_kernel | overlayfs | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
vendor_ubuntu5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Oneiric backport) vulnerabilities
vendor_ubuntu·2012-03-06·CVSS 5.5
CVE-2011-4097 [MEDIUM] Linux kernel (Oneiric backport) vulnerabilities
Title: Linux kernel (Oneiric backport) vulnerabilities
Summary: Several security issues were fixed in the kernel.
A bug was discovered in the Linux kernel's calculation of OOM (Out of
memory) scores, that would result in the wrong process being killed. A user
could use this to kill the process with the highest OOM score, even if that
process belongs to another user or the system. (CVE-2011-4097)
Paolo Bonzini discovered a flaw in Linux's handling of the SG_IO ioctl
command. A local user, or user in a VM could exploit this flaw to bypass
restrictions and gain read/write access to all data on the affected block
device. (CVE-2011-4127)
A flaw was found in KVM's Programmable Interval Timer (PIT). When a virtual
interrupt control is not available a local user could use this to cause a
denia
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2012-02-13·CVSS 5.5
CVE-2012-0055 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
A bug was discovered in the Linux kernel's calculation of OOM (Out of
memory) scores, that would result in the wrong process being killed. A user
could use this to kill the process with the highest OOM score, even if that
process belongs to another user or the system. (CVE-2011-4097)
A flaw was found in KVM's Programmable Interval Timer (PIT). When a virtual
interrupt control is not available a local user could use this to cause a
denial of service by starting a timer. (CVE-2011-4622)
A flaw was discovered in the XFS filesystem. If a local user mounts a
specially crafted XFS image it could potential execute arbitrary code on
the system. (CVE-2012-0038)
Andy Whitcroft discovered a that the Ov
Ubuntu
Linux kernel (OMAP4) vulnerabilities
vendor_ubuntu·2012-02-13·CVSS 5.5
CVE-2011-4097 [MEDIUM] Linux kernel (OMAP4) vulnerabilities
Title: Linux kernel (OMAP4) vulnerabilities
Summary: Several security issues were fixed in the kernel.
A bug was discovered in the Linux kernel's calculation of OOM (Out of
memory) scores, that would result in the wrong process being killed. A user
could use this to kill the process with the highest OOM score, even if that
process belongs to another user or the system. (CVE-2011-4097)
A flaw was discovered in the XFS filesystem. If a local user mounts a
specially crafted XFS image it could potential execute arbitrary code on
the system. (CVE-2012-0038)
Andy Whitcroft discovered a that the Overlayfs filesystem was not doing the
extended permission checks needed by cgroups and Linux Security Modules
(LSMs). A local user could exploit this to by-pass security policy and
access files that
Red Hat
CVE-2012-0055: OverlayFS in the Linux kernel before 3
vendor_redhat·CVSS 7.8
CVE-2012-0055 [HIGH] CVE-2012-0055: OverlayFS in the Linux kernel before 3
OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.
Statement: Not vulnerable. This issue did not affect the Linux kernels as shipped with Red
Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG as they did not provide support for overlayfs.
GHSA
GHSA-9h57-rmgj-c639: OverlayFS in the Linux kernel before 3
ghsa_unreviewed·2022-04-23
CVE-2012-0055 [HIGH] GHSA-9h57-rmgj-c639: OverlayFS in the Linux kernel before 3
OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.
No detection rules found.
Bugzilla
CVE-2012-2922 drupal7: full path disclosure vulnerability
bugzilla·2012-05-23·CVSS 5.0
CVE-2012-2922 [MEDIUM] CVE-2012-2922 drupal7: full path disclosure vulnerability
CVE-2012-2922 drupal7: full path disclosure vulnerability
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-2922 to
the following vulnerability:
Name: CVE-2012-2922
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2922
Assigned: 20120521
Reference: BUGTRAQ:20120510 Drupal 7.14 <= Full Path Disclosure Vulnerability
Reference: http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html
Reference: BUGTRAQ:20120510 Drupal 7.14 <= Full Path Disclosure Vulnerability (Update)
Reference: http://archives.neohapsis.com/archives/bugtraq/2012-05/0053.html
Reference: BUGTRAQ:20120510 Re: Drupal 7.14 <= Full Path Disclosure Vulnerability
Reference: http://archives.neohapsis.com/archives/bugtraq/2012-05/0055.html
Reference: http://www.securityfocus.com/bid/53454
Refer
Bugzilla
CVE kernel non-issue statements
bugzilla·2010-05-13·CVSS 5.0
[MEDIUM] CVE kernel non-issue statements
CVE kernel non-issue statements
This bug is to collect statements for Linux kernel-related CVE's that do not have their own top-level CVE SRT bug because it did not affect any of our supported kernels. These statements were also referred to as NVD statements and are noted on the NVD web site.
(From bug 589808) Do not change the bug alias, it needs to have "CVE" in the title. You can add extra statements in new comments or editing existing comments and they will be picked up correctly.
Discussion:
Statement CVE-2010-0747:
Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not backport an out-of-tree drbd module (drbd8).
Statement CVE-2010-1446:
Not vulnerable. This issue di
http://www.openwall.com/lists/oss-security/2012/01/17/11http://www.ubuntu.com/usn/USN-1363-1http://www.ubuntu.com/usn/USN-1364-1http://www.ubuntu.com/usn/USN-1384-1https://access.redhat.com/security/cve/cve-2012-0055https://bugs.launchpad.net/ubuntu/+source/linux/+bug/915941https://bugzilla.suse.com/show_bug.cgi?id=CVE-2012-0055http://www.openwall.com/lists/oss-security/2012/01/17/11http://www.ubuntu.com/usn/USN-1363-1http://www.ubuntu.com/usn/USN-1364-1http://www.ubuntu.com/usn/USN-1384-1https://access.redhat.com/security/cve/cve-2012-0055https://bugs.launchpad.net/ubuntu/+source/linux/+bug/915941https://bugzilla.suse.com/show_bug.cgi?id=CVE-2012-0055
2020-02-19
Published