CVE-2014-8994 - The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbit

CVE-2014-8994

Summary

The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbitrary files via a symlink attack on a temporary file with a predictable name (tmp/check_diskio_status-*-*).

References

http://seclists.org/oss-sec/2014/q4/679
http://seclists.org/oss-sec/2014/q4/701
http://www.securityfocus.com/bid/71208
https://exchange.xforce.ibmcloud.com/vulnerabilities/98849

Vulnerable Configurations

cpe:2.3:a:check_diskio_project:check_diskio:3.2.5:*:*:*:*:*:*:*
cpe:2.3:a:check_diskio_project:check_diskio:3.2.5:*:*:*:*:*:*:*

CVSS

Base:	3.6 (as of 08-09-2017 - 01:29)
Impact:
Exploitability:

CWE

CWE-18

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	PARTIAL

cvss-vector via4

AV:L/AC:L/Au:N/C:N/I:P/A:P

refmap via4

bid	71208
mlist	[oss-security] 20141119 CVE request for check_diskio nagios/icinga plugin [oss-security] 20141120 Re: CVE request for check_diskio nagios/icinga plugin
xf	checkdiskio-cve20148994-symlink(98849)

Last major update

08-09-2017 - 01:29

Published

28-11-2014 - 15:59

Last modified

08-09-2017 - 01:29