Описание
The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| nginx | unfixed | package | ||
| nginx | ignored | trixie | package | |
| nginx | ignored | bookworm | package | |
| nginx | ignored | bullseye | package | |
| nginx | ignored | buster | package | |
| nginx | ignored | stretch | package | |
| nginx | ignored | jessie | package | |
| nginx | no-dsa | wheezy | package | |
| nginx | no-dsa | squeeze | package |
Примечания
Can only be fixed properly once https://trac.nginx.org/nginx/ticket/376 is resolved upstream
Originally fixed in 1.4.4-2 but reintroduced with DSA-3701-1 (CVE-2016-1247)
Post DSA-3701-1, Debian's default configuration is not affected, new log files are
EPSS
Связанные уязвимости
The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.
The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.
The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.
EPSS