CVE-2019-3689
published 2019-09-19CVE-2019-3689: The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nfs-utils | < nfs-utils 1:1.3.4-3 (bookworm) | nfs-utils 1:1.3.4-3 (bookworm) |
| linux-nfs | nfs-utils | <= 1.3.0-34.18.1 | — |
| linux-nfs | nfs-utils | <= 2.1.1-6.10.2 | — |
| linux-nfs | nfs-utils | >= 0 < 1:1.3.4-3 | 1:1.3.4-3 |
| linux-nfs | nfs-utils | >= 0 < 1:1.3.4-3 | 1:1.3.4-3 |
| linux-nfs | nfs-utils | >= 0 < 1:1.3.4-3 | 1:1.3.4-3 |
| linux-nfs | nfs-utils | >= 0 < 1:1.3.4-3 | 1:1.3.4-3 |
| suse | suse_linux_enterprise_server_12 | — | — |
| suse | suse_linux_enterprise_server_15 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL