Fuse
CVE-2016-1233
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character device, which allows local users to gain privileges via a character device in /dev, related to an ioctl.
AnalysisAI
An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-264. An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character device, which allows local users to gain privileges via a character device in /dev, related to an ioctl. Affected products include: Debian Fuse. Version information: before 2.9.3.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow app
In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is act
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in
A vulnerability was found in Hibernate-Validator. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo
Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal net
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allow
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization b
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container ru
Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware prod
fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as ro
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today