A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the –follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the links target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Coreutils | Uutils | - (including) | - (including) |
| Rust-coreutils | Ubuntu | devel | * |
| Rust-coreutils | Ubuntu | esm-apps/noble | * |
| Rust-coreutils | Ubuntu | noble | * |
| Rust-coreutils | Ubuntu | questing | * |
| Rust-coreutils | Ubuntu | resolute | * |
| Rust-coreutils | Ubuntu | upstream | * |