CVE-2019-9579Incorrect Default Permissions in Oracle Solaris

CWE-276Incorrect Default Permissions4 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.7%
top 28.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Oracle Solaris
Timeline
PublishedDec 26

Description

An issue was discovered in Illumos in Nexenta NexentaStor 4.0.5 and 5.1.2, and other products. The SMB server allows an attacker to have unintended access, e.g., an attacker with WRITE_XATTR can change permissions. This occurs because of a combination of three factors: ZFS extended attributes are used to implement NT named streams, the SMB protocol requires implementations to have open handle semantics similar to those of NTFS, and the SMB server passes along certain attribute requests to the un

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages1 packages

Patches

Patch: www.illumos.orgPatch: www.oracle.comPatch: www.illumos.org

🔴Vulnerability Details

2
CVEList
CVE-2019-9579: An issue was discovered in Illumos in Nexenta NexentaStor 42022-12-26
GHSA
GHSA-79p4-hp34-c4rw: An issue was discovered in Illumos in Nexenta NexentaStor 42022-12-26

📋Vendor Advisories

1
Oracle
Oracle Oracle Systems Risk Matrix: SMB Server — CVE-2019-95792020-01-15
CVE-2019-9579 — Incorrect Default Permissions in Oracle | cvebase