CVE-2014-4039Time-of-check Time-of-use (TOCTOU) Race Condition in Project Ppc64-diag

CWE-264CWE-367Time-of-check Time-of-use (TOCTOU) Race ConditionCWE-377Insecure Temporary File7 documents7 sources
Severity
2.1LOWNVD
EPSS
0.1%
top 80.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ppc64-diag Project Ppc64-diagRedhat Enterprise Linux ServerSuse Linux Enterprise Server
Timeline
PublishedJun 17
Latest updateMay 17

Description

ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does not properly restrict permissions for /tmp/diagSEsnap/snapH.tar.gz, which allows local users to obtain sensitive information by reading files in this archive, as demonstrated by /var/log/messages and /etc/yaboot.conf.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages4 packages

Debianppc64-diag_project/ppc64-diag< 2.7.1-5+1

🔴Vulnerability Details

3
GHSA
GHSA-ccg6-gvwm-fgpg: ppc64-diag 22022-05-17
OSV
CVE-2014-4039: ppc64-diag 22014-06-17
CVEList
CVE-2014-4039: ppc64-diag 22014-06-17

📋Vendor Advisories

2
Red Hat
ppc64-diag: multiple temporary file races2014-06-13
Debian
CVE-2014-4039: ppc64-diag - ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does not properly...2014

💬Community

1
Bugzilla
CVE-2014-4038 CVE-2014-4039 ppc64-diag: multiple temporary file races2014-06-13
CVE-2014-4039 — Project Ppc64-diag vulnerability | cvebase