CVE-2002-0080

rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name	Vendor	Start Version	End Version
Rsync	Samba	*	2.5.3 (excluding)
Red Hat Linux 6.2	RedHat		*
Red Hat Linux 7.0	RedHat		*
Red Hat Linux 7.1	RedHat		*
Red Hat Linux 7.2	RedHat		*

Potential Mitigations

https://cwe.mitre.org/data/definitions/122.html
https://cwe.mitre.org/data/definitions/233.html
https://cwe.mitre.org/data/definitions/58.html

References

http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt
http://www.iss.net/security_center/static/8463.php
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3
http://www.redhat.com/support/errata/RHSA-2002-026.html
http://www.securityfocus.com/bid/4285
http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt
http://www.iss.net/security_center/static/8463.php
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3
http://www.redhat.com/support/errata/RHSA-2002-026.html
http://www.securityfocus.com/bid/4285

NVD	https://nvd.nist.gov/vuln/detail/CVE-2002-0080
CWE	https://cwe.mitre.org/data/definitions/269.html

Improper Privilege Management

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References