CVE-2016-1247
published 2016-11-29CVE-2016-1247: The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nginx | < nginx 1.10.2-1 (bookworm) | nginx 1.10.2-1 (bookworm) |
| f5 | nginx | <= 1.10.1 | — |
| f5 | nginx | <= 1.10.0 | — |
| f5 | nginx | <= 1.6.2 | — |
| f5 | nginx | <= 1.4.3 | — |
| f5 | nginx | >= 0 < 1.10.2-1 | 1.10.2-1 |
| f5 | nginx | >= 0 < 1.10.2-1 | 1.10.2-1 |
| f5 | nginx | >= 0 < 1.10.2-1 | 1.10.2-1 |
| f5 | nginx | >= 0 < 1.10.2-1 | 1.10.2-1 |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH