CVE-2017-6964 Information

Feb 14, 2021 cve

Description

dmcrypt-get-device as shipped in the eject package of Debian and Ubuntu does not check the return value of the (1) setuid or (2) setgid function which might cause dmcrypt-get-device to execute code which was intended to run as an unprivileged user as root. This affects eject through 2.1.5+deb1+cvs20081104-13.1 on Debian eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10 eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 LTS and eject before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 LTS.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.debian.org/security/2017/dsa-3823 http://www.securityfocus.com/bid/97154 https://launchpad.net/bugs/1673627 https://www.debian.org/security/2017/dsa-3823 https://www.ubuntu.com/usn/usn-3246-1/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8

Share on: