CVE-2012-3490 — XML External Entity (XXE) Injection in Condor
Severity
8.8HIGHNVD
GHSA5.0
EPSS
1.9%
top 16.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 9
Latest updateMay 14
Description
The (1) my_popenv_impl and (2) my_spawnv functions in src/condor_utils/my_popen.cpp and the (3) systemCommand function in condor_vm-gahp/vmgahp_common.cpp in Condor 7.6.x before 7.6.10 and 7.8.x before 7.8.4 does not properly check the return value of setuid calls, which might cause a subprocess to be created with root privileges and allow remote attackers to gain privileges via unspecified vectors.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages3 packages
🔴Vulnerability Details
4GHSA▶
GHSA-p9fv-x796-2hrm: The (1) my_popenv_impl and (2) my_spawnv functions in src/condor_utils/my_popen↗2022-04-23
CVEList▶
CVE-2012-3490: The (1) my_popenv_impl and (2) my_spawnv functions in src/condor_utils/my_popen↗2020-01-09
OSV▶
CVE-2012-3490: The (1) my_popenv_impl and (2) my_spawnv functions in src/condor_utils/my_popen↗2020-01-09