Lucene search

[email protected]CVE-2013-2239

HistoryNov 12, 2013 - 2:35 p.m.

CVE-2013-2239

2013-11-1214:35:00

CWE-264

[email protected]

web.nvd.nist.gov

cve-2013-2239

vzkernel

openvz

linux kernel

sensitive information

ioctl

quotactl

nvd

5.7 Medium

AI Score

Confidence

Low

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

0.0004 Low

EPSS

Percentile

5.2%

JSON

vzkernel before 042stab080.2 in the OpenVZ modification for the Linux kernel 2.6.32 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via (1) a crafted ploop driver ioctl call, related to the ploop_getdevice_ioc function in drivers/block/ploop/dev.c, or (2) a crafted quotactl system call, related to the compat_quotactl function in fs/quota/quota.c.

CPENameOperatorVersion
openvz:vzkernelopenvz vzkerneleq2.6.32

CPE	Name	Operator	Version
openvz:vzkernel	openvz vzkernel	eq	2.6.32

References

openwall.com/lists/oss-security/2013/07/04/9

wiki.openvz.org/Download/kernel/rhel6-testing/042stab080.2

www.debian.org/security/2013/dsa-2766

bugs.gentoo.org/show_bug.cgi?id=475762

security-tracker.debian.org/tracker/CVE-2013-2239

5.7 Medium

AI Score

Confidence

Low

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

0.0004 Low

EPSS

Percentile

5.2%

JSON

Related for CVE-2013-2239

redhatcve1 prion1 debiancve1 openvas2 debian1 osv1 nessus1