CVE-2009-1297

iscsi_discovery in open-iscsi in SUSE openSUSE 10.3 through 11.1 and SUSE Linux Enterprise (SLE) 10 SP2 and 11, and other operating systems, allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file that has a predictable name.

CVSS v2.0 4.4 MEDIUM

4.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html	Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:109
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0241
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html	Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:109
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0241

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:novell:suse_linux:10:sp2:enterprise:::::*
	cpe:2.3:o:novell:suse_linux:11:-:enterprise:::::*
	cpe:2.3:o:opensuse:opensuse:10.3:::::::*
	cpe:2.3:o:opensuse:opensuse:11.1:::::::*

History

21 Nov 2024, 01:02

Type	Values Removed	Values Added
References	~~() http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html - Vendor Advisory~~	() http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html - Vendor Advisory
References	~~() http://www.mandriva.com/security/advisories?name=MDVSA-2013:109 -~~	() http://www.mandriva.com/security/advisories?name=MDVSA-2013:109 -
References	~~() https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0241 -~~	() https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0241 -

Information

Published : 2009-10-23 18:30

Updated : 2024-11-21 01:02

NVD link : CVE-2009-1297

Mitre link : CVE-2009-1297

CVE.ORG link : CVE-2009-1297

JSON object : View

Products Affected

opensuse

opensuse

novell

suse_linux

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

{"id": "CVE-2009-1297", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-10-23T18:30:00.267", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html", "tags": ["Vendor Advisory"], "source": "security@ubuntu.com"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:109", "source": "security@ubuntu.com"}, {"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0241", "source": "security@ubuntu.com"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:109", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0241", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "iscsi_discovery in open-iscsi in SUSE openSUSE 10.3 through 11.1 and SUSE Linux Enterprise (SLE) 10 SP2 and 11, and other operating systems, allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file that has a predictable name."}, {"lang": "es", "value": "iscsi_discovery en open-iscsi en SUSE openSUSE versi\u00f3n 10.3 hasta la 11.1 y SUSE Linux Enterprise (SLE) versi\u00f3n 10 SP2 y 11, y otros sistemas operativos, permite a los usuarios locales sobrescribir archivos arbitrarios por medio de un ataque de enlace simb\u00f3lico (symlink) en un archivo temporal no especificado que tiene un nombre predecible."}], "lastModified": "2024-11-21T01:02:07.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:novell:suse_linux:10:sp2:enterprise:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3DC820C5-6283-4EB7-A5C7-B28EFEFC3926"}, {"criteria": "cpe:2.3:o:novell:suse_linux:11:-:enterprise:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB545D91-1C4C-4692-B01A-B8DAE4A958BE"}, {"criteria": "cpe:2.3:o:opensuse:opensuse:10.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C35B68DF-1440-4587-8458-9C5F4D1E43F3"}, {"criteria": "cpe:2.3:o:opensuse:opensuse:11.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBF7B6A8-3DF9-46EC-A90E-6EF68C39F883"}], "operator": "OR"}]}], "sourceIdentifier": "security@ubuntu.com"}