CVE-2015-3171 — Sensitive Information Exposure in Project SOS

CWE-200 — Sensitive Information Exposure CWE-732 — Incorrect Permission Assignment9 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 89.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SOS Project SOS

Timeline

PublishedJul 25

Latest updateMay 13

Description

sosreport 3.2 uses weak permissions for generated sosreport archives, which allows local users with access to /var/tmp/ to obtain sensitive information by reading the contents of the archive.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDsos_project/sos3.2

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

sosreport sensitive information disclosure via weak permissions of the generated archives↗2022-05-13

▶

GHSA

sosreport sensitive information disclosure via weak permissions of the generated archives↗2022-05-13

▶

CVEList

CVE-2015-3171: sosreport 3↗2017-07-25

▶

OSV

CVE-2015-3171: sosreport 3↗2017-07-25

▶

📋Vendor Advisories

Red Hat

sosreport: temporary file created with world-readable permissions↗2015-05-05

▶

Debian

CVE-2015-3171: sosreport - sosreport 3.2 uses weak permissions for generated sosreport archives, which allo...↗2015

▶

💬Community

Bugzilla

CVE-2015-3171 sosreport: temporary file created with world-readable permissions↗2015-05-05

▶

Bugzilla

CVE-2015-3171 sos: sosreport: temporary file created with world-readable permissions [fedora-all]↗2015-05-05

▶