CVE-2021-4037Improper Access Control in Kernel

CWE-284Improper Access Control10 documents8 sources
Severity
7.8HIGHNVD
OSV6.7
EPSS
0.0%
top 89.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Linux KernelDebian LinuxDebian Linux+1 more
Timeline
PublishedAug 24
Latest updateFeb 15

Description

A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the pr

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

NVDlinux/linux_kernel< 5.11
Debianlinux/linux_kernel< 5.10.149-1+3
Ubuntulinux/linux_kernel< 4.4.0-234.268
debiandebian/linux< linux 5.14.6-1 (bookworm)

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

3
OSV
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities2022-09-30
GHSA
GHSA-gvgr-4fph-m6hc: A vulnerability was found in the fs/inode2022-08-25
OSV
CVE-2021-4037: A vulnerability was found in the fs/inode2022-08-24

📋Vendor Advisories

6
CISA ICS
Siemens SCALANCE XCM-/XRM-3002024-02-15
CISA ICS
Siemens SIMATIC S7-1500 TM MFP Linux Kernel2023-06-15
Ubuntu
Linux kernel vulnerabilities2022-09-30
Microsoft
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and2022-08-09
Red Hat
kernel: security regression for CVE-2018-134052021-09-16