linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive information by reading the file.
References
Link | Resource |
---|---|
http://lists.opensuse.org/opensuse-updates/2016-08/msg00029.html | Mailing List Third Party Advisory |
http://lists.opensuse.org/opensuse-updates/2016-08/msg00030.html | Mailing List Third Party Advisory |
http://www.debian.org/security/2016/dsa-3634 | Third Party Advisory |
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460 | Mailing List Third Party Advisory |
https://github.com/antirez/linenoise/issues/121 | Patch Third Party Advisory |
https://github.com/antirez/linenoise/pull/122 | Patch Third Party Advisory |
https://github.com/antirez/redis/blob/3.2/00-RELEASENOTES | Release Notes |
https://github.com/antirez/redis/issues/3284 | Patch Third Party Advisory |
https://github.com/antirez/redis/pull/1418 | Issue Tracking Patch Third Party Advisory |
https://github.com/antirez/redis/pull/3322 | Patch Third Party Advisory |
Configurations
History
No history.
Information
Published : 2016-08-10 14:59
Updated : 2024-02-28 15:21
NVD link : CVE-2013-7458
Mitre link : CVE-2013-7458
CVE.ORG link : CVE-2013-7458
JSON object : View
Products Affected
redislabs
- redis
debian
- debian_linux
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor