Lucene search

K
cve[email protected]CVE-2017-17807
HistoryDec 20, 2017 - 11:29 p.m.

CVE-2017-17807

2017-12-2023:29:00
CWE-862
web.nvd.nist.gov
213
keys
linux kernel
access control
security vulnerability
local user
system calls
unauthorized access

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

5

Confidence

Low

EPSS

0

Percentile

10.1%

The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task’s β€œdefault request-key keyring” via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.

Affected configurations

NVD
Node
linuxlinux_kernelRange<4.14.6

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

5

Confidence

Low

EPSS

0

Percentile

10.1%