CVE-2015-3142

CWE-200 — Information Exposure CWE-2826 documents5 sources

Severity

4.7MEDIUM

EPSS

0.1%

top 70.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Automatic BUG Reporting Tool

Timeline

PublishedJun 26

Latest updateMay 14

Description

The kernel-invoked coredump processor in Automatic Bug Reporting Tool (ABRT) does not properly check the ownership of files before writing core dumps to them, which allows local users to obtain sensitive information by leveraging write permissions to the working directory of a crashed application.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.0 | Impact: 3.6

Affected Packages1 packages

▶NVDredhat/automatic_bug_reporting_tool2.1.11

🔴Vulnerability Details

GHSA

GHSA-fpvf-mw5r-q2rm: The kernel-invoked coredump processor in Automatic Bug Reporting Tool (ABRT) does not properly check the ownership of files before writing core dumps↗2022-05-14

▶

CVEList

CVE-2015-3142: The kernel-invoked coredump processor in Automatic Bug Reporting Tool (ABRT) does not properly check the ownership of files before writing core dumps↗2017-06-26

▶

📋Vendor Advisories

Red Hat

abrt: abrt-hook-ccpp writes core dumps to existing files owned by others↗2015-04-17

▶

💬Community

Bugzilla

CVE-2015-3142 abrt: abrt-hook-ccpp writes core dumps to existing files owned by others↗2015-04-17

▶

Bugzilla

CVE-2015-3142 abrt: abrt-hook-ccpp writes core dumps to existing files owned by others [fedora-all]↗2015-04-17

▶