CVE-2013-1958

2013-04-2419:55:01

CWE-264

[email protected]

web.nvd.nist.gov

cve-2013-1958

linux kernel

net/core/scm.c

capability requirements

pid value

unix domain socket

access restrictions

nvd

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

6.2 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

JSON

The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.8.6 does not properly enforce capability requirements for controlling the PID value associated with a UNIX domain socket, which allows local users to bypass intended access restrictions by leveraging the time interval during which a user namespace has been created but a PID namespace has not been created.

Affected configurations

NVD

Node

linuxlinux_kernelRange≤3.8.5

linuxlinux_kernelMatch3.8.0

linuxlinux_kernelMatch3.8.1

linuxlinux_kernelMatch3.8.2

linuxlinux_kernelMatch3.8.3

linuxlinux_kernelMatch3.8.4

CPENameOperatorVersion
linux:linux_kernellinux linux kernelle3.8.5
linux:linux_kernellinux linux kerneleq3.8.0
linux:linux_kernellinux linux kerneleq3.8.1
linux:linux_kernellinux linux kerneleq3.8.2
linux:linux_kernellinux linux kerneleq3.8.3
linux:linux_kernellinux linux kerneleq3.8.4

CPE	Name	Operator	Version
linux:linux_kernel	linux linux kernel	le	3.8.5
linux:linux_kernel	linux linux kernel	eq	3.8.0
linux:linux_kernel	linux linux kernel	eq	3.8.1
linux:linux_kernel	linux linux kernel	eq	3.8.2
linux:linux_kernel	linux linux kernel	eq	3.8.3
linux:linux_kernel	linux linux kernel	eq	3.8.4