4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0005 Low
EPSS
Percentile
16.0%
Problem description
A temporary file is created, used, deleted, and then
re-created with the same name. This creates a window during
which an attacker could replace the file with a link to
another file. While cvsbug(1) is based on the send-pr(1)
utility, this problem does not exist in the version of
send-pr(1) distributed with FreeBSD.
In FreeBSD 4.10 and 5.3, some additional problems exist
concerning temporary file usage in both cvsbug(1) and
send-pr(1).
Impact
A local attacker could cause data to be written to any file
to which the user running cvsbug(1) (or send-pr(1) in FreeBSD
4.10 and 5.3) has write access. This may cause damage in
itself (e.g., by destroying important system files or
documents) or may be used to obtain elevated privileges.
Workaround
Do not use the cvsbug(1) utility on any system with untrusted
users.
Do not use the send-pr(1) utility on a FreeBSD 4.10 or 5.3
system with untrusted users.