CVE-2004-2778 - OpenCVE

Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which allows local users to read or write to restricted directories or execute restricted commands via navigating to the affected directories, or executing the affected commands.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Gentoo	Portage

Configuration 1 [-]

cpe:2.3:a:gentoo:portage:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2017/01/28/7	Mailing List Third Party Advisory
https://bugs.gentoo.org/show_bug.cgi?id=141619	Vendor Advisory
https://bugs.gentoo.org/show_bug.cgi?id=396153	Vendor Advisory
https://bugs.gentoo.org/show_bug.cgi?id=58611	Vendor Advisory
https://bugs.gentoo.org/show_bug.cgi?id=607426	Vendor Advisory
https://bugs.gentoo.org/show_bug.cgi?id=607430	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-06-27T20:00:00

Updated: 2017-06-27T19:57:01

Reserved: 2017-01-28T00:00:00

Link: CVE-2004-2778

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-06-27T20:29:00.183

Modified: 2017-07-05T18:40:04.487

Link: CVE-2004-2778

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2004-07-27T00:00:00", "descriptions": [{"lang": "en", "value": "Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which allows local users to read or write to restricted directories or execute restricted commands via navigating to the affected directories, or executing the affected commands."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-27T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=141619"}, {"name": "[oss-security] 20170128 Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2017/01/28/7"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=58611"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=607426"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=396153"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=607430"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2004-2778", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which allows local users to read or write to restricted directories or execute restricted commands via navigating to the affected directories, or executing the affected commands."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugs.gentoo.org/show_bug.cgi?id=141619", "refsource": "CONFIRM", "url": "https://bugs.gentoo.org/show_bug.cgi?id=141619"}, {"name": "[oss-security] 20170128 Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example.", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2017/01/28/7"}, {"name": "https://bugs.gentoo.org/show_bug.cgi?id=58611", "refsource": "CONFIRM", "url": "https://bugs.gentoo.org/show_bug.cgi?id=58611"}, {"name": "https://bugs.gentoo.org/show_bug.cgi?id=607426", "refsource": "CONFIRM", "url": "https://bugs.gentoo.org/show_bug.cgi?id=607426"}, {"name": "https://bugs.gentoo.org/show_bug.cgi?id=396153", "refsource": "CONFIRM", "url": "https://bugs.gentoo.org/show_bug.cgi?id=396153"}, {"name": "https://bugs.gentoo.org/show_bug.cgi?id=607430", "refsource": "CONFIRM", "url": "https://bugs.gentoo.org/show_bug.cgi?id=607430"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2004-2778", "datePublished": "2017-06-27T20:00:00", "dateReserved": "2017-01-28T00:00:00", "dateUpdated": "2017-06-27T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gentoo:portage:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D2DB2B2-6B07-44EC-A1BE-6E5B8A502D87", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which allows local users to read or write to restricted directories or execute restricted commands via navigating to the affected directories, or executing the affected commands."}, {"lang": "es", "value": "Ebuild en Gentoo puede cambiar los permisos de directorios y archivos en funci\u00f3n del orden de los paquetes instalados, lo que permite a usuarios locales leer o escribir en directorios restringidos o ejecutar comandos restringidos mediante la navegaci\u00f3n a directorios afectados o la ejecuci\u00f3n de comandos afectados."}], "id": "CVE-2004-2778", "lastModified": "2017-07-05T18:40:04.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-27T20:29:00.183", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2017/01/28/7"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=141619"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=396153"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=58611"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=607426"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=607430"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}