PT-2010-2552 · Oracle+1 · Libnss-Db+1

Stephane Chazelas

Published

2010-04-05

Updated

2017-09-19

CVE-2010-0826

CVSS v2.0

1.9

Low

Vector

AV:L/AC:M/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions libnss-db version 2.2.3pre1

Description The issue allows local users to obtain sensitive information via a symlink attack involving a setgid or setuid application that uses the libnss-db module. This occurs because the module reads the DB CONFIG file in the current working directory.

Recommendations For libnss-db version 2.2.3pre1, consider restricting access to the DB CONFIG file to prevent unauthorized reading of sensitive information. As a temporary workaround, avoid using setgid or setuid applications that utilize the libnss-db module in environments where the DB CONFIG file could be accessed by unauthorized users.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2010-0826

RHSA-2010:0347

RHSA-2010_0347

Affected Products

Red Hat

Libnss-Db

PT-2010-2552 · Oracle+1 · Libnss-Db+1

CVE-2010-0826

Weakness Enumeration

Related Identifiers

Affected Products

References · 18