CVE-2014-3209 — Incorrect Permission Assignment in Ldns

CWE-264 CWE-732 — Incorrect Permission Assignment CWE-522 — Insufficiently Protected Credentials8 documents7 sources

Severity

2.1LOWNVD

EPSS

0.2%

top 63.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nlnetlabs Ldns Debian Ldns

Timeline

PublishedNov 16

Latest updateMay 17

Description

The ldns-keygen tool in ldns 1.6.x uses the current umask to set the privileges of the private key, which might allow local users to obtain the private key by reading the file.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages4 packages

▶debiandebian/ldns< ldns 1.6.17-4 (bookworm)

▶Debiannlnetlabs/ldns< 1.6.17-4+3

▶Ubuntunlnetlabs/ldns< 1.6.17-1ubuntu0.1+1

▶NVDnlnetlabs/ldns12 versions+11

🔴Vulnerability Details

GHSA

GHSA-cc58-7rpr-73mr: The ldns-keygen tool in ldns 1↗2022-05-17

▶

OSV

ldns vulnerabilities↗2017-11-22

▶

OSV

CVE-2014-3209: The ldns-keygen tool in ldns 1↗2014-11-16

▶

📋Vendor Advisories

Ubuntu

ldns vulnerabilities↗2017-11-22

▶

Red Hat

ldns: ldns-keygen generates keys with world readable permissions↗2014-05-03

▶

Debian

CVE-2014-3209: ldns - The ldns-keygen tool in ldns 1.6.x uses the current umask to set the privileges ...↗2014

▶

💬Community

Bugzilla

CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions↗2014-05-03

▶