Lucene search

[email protected]CVE-2018-14650

HistorySep 27, 2018 - 8:29 p.m.

CVE-2018-14650

2018-09-2720:29:00

CWE-276

CWE-732

[email protected]

web.nvd.nist.gov

sos-collector

permissions

data theft

cve-2018-14650

nvd

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

4.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

It was discovered that sos-collector does not properly set the default permissions of newly created files, making all files created by the tool readable by any local user. A local attacker may use this flaw by waiting for a legit user to run sos-collector and steal the collected data in the /var/tmp directory.

Affected configurations

NVD

Node

sos-collector_projectsos-collectorMatch1.4

Node

redhatenterprise_linux_desktopMatch7.0x64

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_server_ausMatch7.6

redhatenterprise_linux_server_eusMatch7.6

redhatenterprise_linux_workstationMatch7.0x64

CPENameOperatorVersion
sos-collector_project:sos-collectorsos-collector project sos-collectoreq1.4

CPE	Name	Operator	Version
sos-collector_project:sos-collector	sos-collector project sos-collector	eq	1.4

CNA Affected

[
  {
    "product": "sos-collector",
    "vendor": "[UNKNOWN]",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]