CVE-2016-7553 - OpenCVE

The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Irssi	Buf.pl

Configuration 1 [-]

cpe:2.3:a:irssi:buf.pl:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2016/09/24/1	Mailing List Patch
http://www.openwall.com/lists/oss-security/2016/09/26/4	Mailing List Patch
http://www.securityfocus.com/bid/93155	Third Party Advisory VDB Entry
https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a	Patch
https://irssi.org/security/buf_pl_sa_2016.txt	Patch Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OM3WHWQ7RIAOZSOZZUM4CUYGKSIAGJJ/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: debian

Published: 2017-02-27T22:00:00

Updated: 2017-02-28T13:57:01

Reserved: 2016-09-09T00:00:00

Link: CVE-2016-7553

JSON object: View

NVD Information

Status : Modified

Published: 2017-02-27T22:59:00.480

Modified: 2023-11-07T02:34:43.543

Link: CVE-2016-7553

JSON object: View

Redhat Information

No data.

CWE

CWE-275

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-09-22T00:00:00", "descriptions": [{"lang": "en", "value": "The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-28T13:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"name": "[oss-security] 20160926 Re: CVE Request: irssi: information disclosure vulnerabilit in buf.pl", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/09/26/4"}, {"name": "[oss-security] 20160924 CVE Request: irssi: information disclosure vulnerabilit in buf.pl", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/09/24/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://irssi.org/security/buf_pl_sa_2016.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a"}, {"name": "FEDORA-2016-39de4eb5e7", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OM3WHWQ7RIAOZSOZZUM4CUYGKSIAGJJ/"}, {"name": "93155", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/93155"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2016-7553", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20160926 Re: CVE Request: irssi: information disclosure vulnerabilit in buf.pl", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/09/26/4"}, {"name": "[oss-security] 20160924 CVE Request: irssi: information disclosure vulnerabilit in buf.pl", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/09/24/1"}, {"name": "https://irssi.org/security/buf_pl_sa_2016.txt", "refsource": "CONFIRM", "url": "https://irssi.org/security/buf_pl_sa_2016.txt"}, {"name": "https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a", "refsource": "CONFIRM", "url": "https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a"}, {"name": "FEDORA-2016-39de4eb5e7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OM3WHWQ7RIAOZSOZZUM4CUYGKSIAGJJ/"}, {"name": "93155", "refsource": "BID", "url": "http://www.securityfocus.com/bid/93155"}]}}}}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2016-7553", "datePublished": "2017-02-27T22:00:00", "dateReserved": "2016-09-09T00:00:00", "dateUpdated": "2017-02-28T13:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:irssi:buf.pl:*:*:*:*:*:*:*:*", "matchCriteriaId": "0446A04A-F652-4096-A349-59A1594FE077", "versionEndIncluding": "2.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file."}, {"lang": "es", "value": "La secuencia de comandos buf.pl en versiones anteriores a 2.20 en Irssi en versiones anteriores a 0.8.20 utiliza permiso d\u00e9biles para el archivo de volcado scrollbuffer creado entre actualizaciones, lo que podr\u00edan permitir a a usuarios locales obtener informaci\u00f3n sensible de conversaciones de chat privados leyendo el archivo."}], "id": "CVE-2016-7553", "lastModified": "2023-11-07T02:34:43.543", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-27T22:59:00.480", "references": [{"source": "security@debian.org", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2016/09/24/1"}, {"source": "security@debian.org", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2016/09/26/4"}, {"source": "security@debian.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/93155"}, {"source": "security@debian.org", "tags": ["Patch"], "url": "https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a"}, {"source": "security@debian.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://irssi.org/security/buf_pl_sa_2016.txt"}, {"source": "security@debian.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OM3WHWQ7RIAOZSOZZUM4CUYGKSIAGJJ/"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-275"}], "source": "nvd@nist.gov", "type": "Primary"}]}