Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-19046

Опубликовано: 08 нояб. 2018
Источник: redhat
CVSS3: 7.1

Описание

keepalived 2.0.8 didn't check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. If a local attacker had previously created a file with the expected name (e.g., /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the attacker and write access for the keepalived process, then this potentially leaked sensitive information.

Отчет

This issue did not affect the versions of keepalived as shipped with Red Hat Enterprise Linux 6 and 7 as the packages are not built with dbus support, therefore the vulnerable code is not available in resulting RPM and the issue cannot be exploited.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6keepalivedNot affected
Red Hat Enterprise Linux 7keepalivedNot affected
Red Hat Enterprise Linux 8keepalivedNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-377
https://bugzilla.redhat.com/show_bug.cgi?id=1651869keepalived: Insecure use of temporary files allows attackers read sensitive information from pre-existing files

7.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-19046

CVSS3: 4.7
ubuntu
около 7 лет назад

keepalived 2.0.8 didn't check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. If a local attacker had previously created a file with the expected name (e.g., /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the attacker and write access for the keepalived process, then this potentially leaked sensitive information.

nvd логотип

CVE-2018-19046

CVSS3: 4.7
nvd
около 7 лет назад

keepalived 2.0.8 didn't check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. If a local attacker had previously created a file with the expected name (e.g., /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the attacker and write access for the keepalived process, then this potentially leaked sensitive information.

debian логотип

CVE-2018-19046

CVSS3: 4.7
debian
около 7 лет назад

keepalived 2.0.8 didn't check for existing plain files when writing da ...

github логотип

GHSA-fjwx-29fr-83hw

CVSS3: 4.7
github
больше 3 лет назад

keepalived 2.0.8 didn't check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. If a local attacker had previously created a file with the expected name (e.g., /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the attacker and write access for the keepalived process, then this potentially leaked sensitive information.

fstec логотип

BDU:2020-05642

CVSS3: 4.7
fstec
больше 7 лет назад

Уязвимость реализации вызовов PrintData или PrintStats системы балансировки сетевого трафика Keepalived, позволяющая нарушителю получить доступ к защищаемой информации

7.1 High

CVSS3