Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2013-4419

Published: Nov 05, 2013 | Modified: Dec 13, 2018
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
6.8 MEDIUM
AV:A/AC:H/Au:N/C:C/I:C/A:C
RedHat/V2
6.8 MODERATE
AV:A/AC:H/Au:N/C:C/I:C/A:C
RedHat/V3
Ubuntu
LOW
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2013-4419
CWEhttps://cwe.mitre.org/data/definitions/264.html

The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using the –remote or –listen option, does not properly check the ownership of /tmp/.guestfish-$UID/ when creating a temporary socket file in this directory, which allows local users to write to the socket and execute arbitrary commands by creating /tmp/.guestfish-$UID/ in advance.

Affected Software

Name Vendor Start Version End Version
Libguestfs Libguestfs 1.20.0 (including) 1.20.12 (including)
Libguestfs Libguestfs 1.22.0 (including) 1.22.7 (including)
Libguestfs Ubuntu artful *
Libguestfs Ubuntu bionic *
Libguestfs Ubuntu cosmic *
Libguestfs Ubuntu devel *
Libguestfs Ubuntu disco *
Libguestfs Ubuntu eoan *
Libguestfs Ubuntu esm-apps/bionic *
Libguestfs Ubuntu esm-apps/focal *
Libguestfs Ubuntu esm-apps/jammy *
Libguestfs Ubuntu esm-apps/noble *
Libguestfs Ubuntu esm-apps/xenial *
Libguestfs Ubuntu focal *
Libguestfs Ubuntu groovy *
Libguestfs Ubuntu hirsute *
Libguestfs Ubuntu impish *
Libguestfs Ubuntu jammy *
Libguestfs Ubuntu kinetic *
Libguestfs Ubuntu lunar *
Libguestfs Ubuntu mantic *
Libguestfs Ubuntu noble *
Libguestfs Ubuntu precise *
Libguestfs Ubuntu quantal *
Libguestfs Ubuntu raring *
Libguestfs Ubuntu saucy *
Libguestfs Ubuntu trusty *
Libguestfs Ubuntu upstream *
Libguestfs Ubuntu utopic *
Libguestfs Ubuntu vivid *
Libguestfs Ubuntu wily *
Libguestfs Ubuntu xenial *
Libguestfs Ubuntu yakkety *
Libguestfs Ubuntu zesty *
Red Hat Enterprise Linux 6 RedHat libguestfs-1:1.20.11-2.el6 *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use