CVE-2018-14650 — Incorrect Permission Assignment in Project Sos-collector

CWE-732 — Incorrect Permission Assignment CWE-276 — Incorrect Default Permissions6 documents5 sources

Severity

5.0MEDIUMNVD

CNA5.9

EPSS

0.0%

top 86.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Enterprise Linux Desktop Redhat Enterprise Linux Server Redhat Enterprise Linux Server AUS +3 more

Timeline

PublishedSep 27

Latest updateMay 13

Description

It was discovered that sos-collector does not properly set the default permissions of newly created files, making all files created by the tool readable by any local user. A local attacker may use this flaw by waiting for a legit user to run sos-collector and steal the collected data in the /var/tmp directory.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 1.3 | Impact: 3.6

Affected Packages4 packages

▶NVDsos-collector_project/sos-collector1.4

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

Also affects: Enterprise Linux 7.6

🔴Vulnerability Details

GHSA

GHSA-4pjf-x44m-95hq: It was discovered that sos-collector does not properly set the default permissions of newly created files, making all files created by the tool readab↗2022-05-13

▶

CVEList

CVE-2018-14650: It was discovered that sos-collector does not properly set the default permissions of newly created files, making all files created by the tool readab↗2018-09-27

▶

📋Vendor Advisories

Red Hat

sos-collector: incorrect permissions set on newly created files↗2018-09-27

▶

💬Community

Bugzilla

CVE-2018-14650 sos-collector: incorrect permissions set on newly created files [fedora-all]↗2018-09-27

▶

Bugzilla

CVE-2018-14650 sos-collector: incorrect permissions set on newly created files↗2018-09-26

▶