Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2022-41974

Опубликовано: 29 окт. 2022
Источник: debian

Описание

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
multipath-toolsfixed0.9.4-1package

Примечания

  • https://www.openwall.com/lists/oss-security/2022/10/24/2

  • https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt

  • Introduced by: https://github.com/opensvc/multipath-tools/commit/9acda0c47b143f2ef6123957d2ccd24ea995dc04 (0.7.0)

  • Fix included in https://github.com/opensvc/multipath-tools/pull/46

  • Fixed by (merge): https://github.com/opensvc/multipath-tools/commit/c4912a639b7ff527aa11d665944594926ff94a7a (0.9.2)

  • https://github.com/opensvc/multipath-tools/commit/f812466f68b8e020818c6454d7b7a7e278bc99f6 (0.9.2)

  • https://github.com/opensvc/multipath-tools/commit/d139bcf0842bc0a16beab86e1349ed65b150bf0c (0.9.2, CVE fix)

  • https://github.com/opensvc/multipath-tools/commit/2a1ff3154c1d5de423c303ca3bc9ed9727b4e523 (0.9.2)

  • https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f (0.9.2)

  • https://github.com/opensvc/multipath-tools/commit/994811a29332161ec150f1d9822ff460cfc0f316 (0.9.2)

Связанные уязвимости

ubuntu логотип

CVE-2022-41974

CVSS3: 7.8
ubuntu
почти 3 года назад

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

redhat логотип

CVE-2022-41974

CVSS3: 7.8
redhat
почти 3 года назад

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

nvd логотип

CVE-2022-41974

CVSS3: 7.8
nvd
почти 3 года назад

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

msrc логотип

CVE-2022-41974

CVSS3: 7.8
msrc
почти 3 года назад

Описание отсутствует

suse-cvrf логотип

SUSE-SU-2022:3715-1

suse-cvrf
почти 3 года назад

Security update for multipath-tools