7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.5%
The default configuration of nginx, possibly 1.3.13 and earlier, uses
world-readable permissions for the (1) access.log and (2) error.log files,
which allows local users to obtain sensitive information by reading the
files.
Author | Note |
---|---|
mdeslaur | The fix for CVE-2016-1247 in USN-3114-1 technically re-introduced this issue, but only for environments that configure non-default log filenames. Upstream will not be fixing the default permissions on log files. Marking this CVE as ignored, since the default configuration is not vulnerable and we will not be fixing this any further. |