CVE-2017-14159

CWE-665 CWE-3778 documents7 sources

Severity

4.7MEDIUM

EPSS

0.1%

top 74.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Blockchain Platform Openldap Openldap

Timeline

PublishedSep 5

Latest updateMay 13

Description

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command, as demonstrated by openldap-initscript.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.0 | Impact: 3.6

Affected Packages2 packages

▶NVDopenldap/openldap2.4.45

▶NVDoracle/blockchain_platform< 21.1.2

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-xxfr-gfjr-h844: slapd in OpenLDAP 2↗2022-05-13

▶

CVEList

CVE-2017-14159: slapd in OpenLDAP 2↗2017-09-05

▶

OSV

CVE-2017-14159: slapd in OpenLDAP 2↗2017-09-05

▶

📋Vendor Advisories

Red Hat

openldap: Privilege escalation via PID file manipulation↗2017-07-28

▶

Debian

CVE-2017-14159: openldap - slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privilege...↗2017

▶

💬Community

Bugzilla

CVE-2017-14159 openldap: Privilege escalation via PID file manipulation↗2017-09-06

▶

Bugzilla

CVE-2017-14159 openldap: Privilege escalation via PID file manipulation [fedora-all]↗2017-09-06

▶