PT-2016-4669 · Nginx+1 · Nginx+1

Dawid Golunski

Publicado

2016-10-25

Atualizado

2021-12-14

CVE-2016-1247

CVSS v3.1

7.8

Alta

Vetor

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions nginx versions prior to 1.6.2-5+deb8u3 on Debian jessie nginx versions prior to 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS nginx versions prior to 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS nginx versions prior to 1.10.1-0ubuntu1.1 on Ubuntu 16.10 nginx versions prior to 1.10.2-r3 on Gentoo

Description The issue allows local users with access to the web server user account to gain root privileges via a symlink attack on the error log.

Recommendations For Debian jessie, update to version 1.6.2-5+deb8u3 or later. For Ubuntu 14.04 LTS, update to version 1.4.6-1ubuntu3.6 or later. For Ubuntu 16.04 LTS, update to version 1.10.0-0ubuntu0.16.04.3 or later. For Ubuntu 16.10, update to version 1.10.1-0ubuntu1.1 or later. For Gentoo, update to version 1.10.2-r3 or later.

Exploit

Correção

Link Following

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-59

Identificadores relacionados

CVE-2016-1247

DSA-3701-1

DSA-3701-2

OPENSUSE-SU-2024:11341-1

USN-3114-1

USN-3114-2

Produtos afetados

Ubuntu

Nginx

PT-2016-4669 · Nginx+1 · Nginx+1

CVE-2016-1247

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 36