QwikSec

Security Database

CVE

CWE

Training

CVE-2019-3689

Published: Sep 19, 2019

Modified: Sep 17, 2024

PUBLISHED

CVSS v3.1

5.1

MEDIUM

Description

The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.

Vendor	Product	Versions
SUSE	SUSE Linux Enterprise Server 12	affected `before and including version 1.3.0-34.18.1`
SUSE	SUSE Linux Enterprise Server 15	affected `before and including version 2.1.1-6.10.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

References

https://bugzilla.suse.com/show_bug.cgi?id=1150733

x_refsource_CONFIRM

[debian-lts-announce] 20191019 [SECURITY] [DLA 1965-1] nfs-utils security update

mailing-list

x_refsource_MLIST

openSUSE-SU-2019:2408

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2019:2435

vendor-advisory

x_refsource_SUSE

https://git.linux-nfs.org/?p=steved/nfs-utils.git%3Ba=commitdiff%3Bh=fee2cc29e888f2ced6a76990923aef19d326dc0e

x_refsource_MISC

vendor-advisory

x_refsource_UBUNTU

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.