CVE Vulnerabilities

CVE-2009-3369

Published: Sep 24, 2009 | Modified: Oct 31, 2009
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
8.5 HIGH
AV:N/AC:M/Au:S/C:C/I:C/A:C
RedHat/V2
5.8 LOW
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V3
Ubuntu
MEDIUM

CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in use in a multi-user environment, does not restrict users from the ClientNameAlias function, which allows remote authenticated users to read and write sensitive files by modifying ClientNameAlias to match another system, then initiating a backup or restore.

Affected Software

Name Vendor Start Version End Version
Backuppc Craig_barratt 3.1.0 (including) 3.1.0 (including)
Backuppc Ubuntu devel *
Backuppc Ubuntu hardy *
Backuppc Ubuntu intrepid *
Backuppc Ubuntu jaunty *
Backuppc Ubuntu upstream *

References