CVE-2023-6917Time-of-check Time-of-use (TOCTOU) Race Condition in Performance Co-pilot

CWE-367Time-of-check Time-of-use (TOCTOU) Race ConditionCWE-378Creation of Temporary File With Insecure Permissions6 documents6 sources
Severity
6.7MEDIUMNVD
CNA6.0
EPSS
0.0%
top 97.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Opensuse PCPSGI Performance Co-pilotRedhat Enterprise Linux
Timeline
PublishedFeb 28

Description

A vulnerability has been identified in the Performance Co-Pilot (PCP) package, stemming from the mixed privilege levels utilized by systemd services associated with PCP. While certain services operate within the confines of limited PCP user/group privileges, others are granted full root privileges. This disparity in privilege levels poses a risk when privileged root processes interact with directories or directory trees owned by unprivileged PCP users. Specifically, this vulnerability may lead t

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

Debianopensuse/pcp< 6.2.0-1+1

Also affects: Enterprise Linux 9.0

🔴Vulnerability Details

3
GHSA
GHSA-pgw3-qmf6-36m3: A vulnerability has been identified in the Performance Co-Pilot (PCP) package, stemming from the mixed privilege levels utilized by systemd services a2024-02-28
OSV
CVE-2023-6917: A vulnerability has been identified in the Performance Co-Pilot (PCP) package, stemming from the mixed privilege levels utilized by systemd services a2024-02-28
CVEList
Pcp: unsafe use of directories allows pcp to root privilege escalation2024-02-28

📋Vendor Advisories

2
Red Hat
pcp: unsafe use of directories allows pcp to root privilege escalation2024-02-15
Debian
CVE-2023-6917: pcp - A vulnerability has been identified in the Performance Co-Pilot (PCP) package, s...2023
CVE-2023-6917 — SGI Performance Co-pilot vulnerability | cvebase