Skip to main content

Libguestfs CVE-2013-4419

MEDIUM
Permissions, Privileges, and Access Controls (CWE-264)
2013-11-05 secalert@redhat.com
6.8
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:A/AC:H/Au:N/C:C/I:C/A:C

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:A/AC:H/Au:N/C:C/I:C/A:C
Attack Vector
Adjacent
Attack Complexity
High
Confidentiality
C
Integrity
C
Availability
C

Lifecycle Timeline

1
CVE Published
Nov 05, 2013 - 20:55 cve.org
MEDIUM 6.8

DescriptionCVE.org

The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using the --remote or --listen option, does not properly check the ownership of /tmp/.guestfish-$UID/ when creating a temporary socket file in this directory, which allows local users to write to the socket and execute arbitrary commands by creating /tmp/.guestfish-$UID/ in advance.

AnalysisAI

The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using the --remote or --listen option, does not properly check the ownership of /tmp/.guestfish-$UID/ when creating a temporary. Rated medium severity (CVSS 6.8).

Technical ContextAI

This vulnerability is classified under CWE-264. The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using the --remote or --listen option, does not properly check the ownership of /tmp/.guestfish-$UID/ when creating a temporary socket file in this directory, which allows local users to write to the socket and execute arbitrary commands by creating /tmp/.guestfish-$UID/ in advance. Affected products include: Libguestfs, Suse Suse Linux Enterprise Software Development Kit, Novell Suse Linux Enterprise Server.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2013-4419 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy