The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| juniper | ctpview | * |
| novell | open_enterprise_server | - |
| juniper | ctpview | 7.1 |
| suse | linux_enterprise_server | 10 |
| avaya | intuity_audix_lx | 2.0 |
| avaya | message_networking | 3.1 |
| fedoraproject | fedora | 10 |
| suse | linux_enterprise_server | 9 |
| debian | debian_linux | 5.0 |
| avaya | messaging_storage_server | 3.0 |
| debian | debian_linux | 4.0 |
| avaya | messaging_storage_server | 4.0 |
| opensuse | opensuse | * |
| suse | linux_enterprise_desktop | 9 |
| fedoraproject | fedora | 9 |
| avaya | messaging_storage_server | 5.0 |
| christophe.varoqui | multipath-tools | 0.4.8 |