CVE-2017-14610

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-14610
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14610.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-14610
Published
2017-09-20T18:29:01Z
Modified
2024-06-30T13:02:10.750339Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

bareos-dir, bareos-fd, and bareos-sd in bareos-core in Bareos 16.2.6 and earlier create a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command.

References

Affected packages

Git / github.com/bareos/bareos

Affected ranges

Type
GIT
Repo
https://github.com/bareos/bareos
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

Release/12.*

Release/12.4.0
Release/12.4.1

Release/15.*

Release/15.2.1
Release/15.2.2
Release/15.2.3
Release/15.2.4

Release/16.*

Release/16.2.4
Release/16.2.4-rc1
Release/16.2.5
Release/16.2.5-win-installer-fix
Release/16.2.6

Release/bacula-5.*

Release/bacula-5.2.13