CVE-2017-10140 — Postfix vulnerability

14 documents9 sources

Severity

7.8HIGHNVD

EPSS

0.3%

top 47.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postfix Debian Db5.3 Apple Macos High Sierra +1 more

Timeline

PublishedApr 16

Latest updateMay 13

Description

Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶NVDpostfix/postfix3.0.0 — 3.0.10+3

▶debiandebian/db5.3< db5.3 5.3.28-13.1 (bookworm)

▶Appleapple/macos_high_sierra10.13

▶Appleapple/macos_high_sierra_10.13.1_security_update_2017-001_sierra_and_security_update_20

🔴Vulnerability Details

GHSA

GHSA-698c-frxg-8qf9: Postfix before 2↗2022-05-13

▶

OSV

CVE-2017-10140: Postfix before 2↗2018-04-16

▶

📋Vendor Advisories

Oracle

Oracle Oracle Berkeley DB Risk Matrix: Data Store — CVE-2017-10140↗2020-07-15

▶

Ubuntu

Berkeley DB vulnerability↗2017-11-21

▶

Ubuntu

Berkeley DB vulnerability↗2017-11-21

▶

Apple

CVE-2017-10140: macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan↗2017-10-31

▶

Apple

CVE-2017-10140: macOS High Sierra 10.13↗2017-09-25

▶

💬Community

Bugzilla

CVE-2017-10140 libdb4: libdb: Reads DB_CONFIG from the current working directory [fedora-all]↗2017-06-22

▶

Bugzilla

CVE-2017-10140 libdb: Reads DB_CONFIG from the current working directory [fedora-all]↗2017-06-22

▶

Bugzilla

CVE-2017-10140 postfix: libdb: Reads DB_CONFIG from the current working directory [fedora-all]↗2017-06-22

▶

Bugzilla

CVE-2017-10140 libdb: Reads DB_CONFIG from the current working directory↗2017-06-22

▶