CVE-2015-1870

CVE Details

Release Date:2015-04-17

Description


It was found that the ABRT event scripts created a user-readable copy of an sosreport file in ABRT problem directories, and included excerpts of /var/log/messages selected by the user-controlled process name, leading to an information disclosure. The fix for this issue prevents non-privileged users from accessing any crash reports, even reports of crashes of processes owned by those users. Only administrators (the wheel group members) are allowed to access crash reports via the System tab in the ABRT GUI, or by running abrt-cli as root (that is, via "sudo abrt-cli" or "su -c abrt-cli").

See more information about CVE-2015-1870 from MITRE CVE dictionary and NIST NVD


CVSS v2.0 metrics


NOTE: The following CVSS v2.0 metrics and score provided are preliminary and subject to review.

Base Score: 2.1 Base Metrics: AV:L/AC:L/Au:N/C:P/I:N/A:N
Access Vector: Local network Attack Complexity: Low
Authentication: None required Confidentiality Impact: Partial
Integrity Impact: None Availability Impact: None

Errata information


PlatformErrataRelease Date
Oracle Linux version 6 (abrt)ELSA-2015-12102015-07-07
Oracle Linux version 6 (libreport)ELSA-2015-12102015-07-07
Oracle Linux version 7 (abrt)ELSA-2015-10832015-06-09
Oracle Linux version 7 (libreport)ELSA-2015-10832015-06-09



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete