Vulnerabilities > Gentoo

DATE CVE VULNERABILITY TITLE RISK
2020-01-21 CVE-2019-20384 Improper Preservation of Permissions vulnerability in Gentoo Portage
Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners.
local
low complexity
gentoo CWE-281
2.1
2018-06-04 CVE-2017-18285 Incorrect Permission Assignment FOR Critical Resource vulnerability in Burp Project Burp
The Gentoo app-backup/burp package before 2.1.32 has incorrect group ownership of the /etc/burp directory, which might allow local users to obtain read and write access to arbitrary files by leveraging access to a certain account for a burp-server.conf change.
local
low complexity
burp-project gentoo CWE-732
3.6
2018-06-04 CVE-2017-18284 Incorrect Permission Assignment FOR Critical Resource vulnerability in Burp Project Burp
The Gentoo app-backup/burp package before 2.1.32 sets the ownership of the PID file directory to the burp account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL.
local
low complexity
burp-project gentoo CWE-732
3.6
2018-03-12 CVE-2017-18226 Incorrect Permission Assignment FOR Critical Resource vulnerability in Jabberd2
The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of /var/run/jabber to the jabber account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script executes a "kill -TERM `cat /var/run/jabber/filename.pid`" command.
local
low complexity
jabberd2 gentoo CWE-732
2.1
2018-03-12 CVE-2017-18225 Incorrect Permission Assignment FOR Critical Resource vulnerability in Jabberd2
The Gentoo net-im/jabberd2 package through 2.6.1 installs jabberd, jabberd2-c2s, jabberd2-router, jabberd2-s2s, and jabberd2-sm in /usr/bin owned by the jabber account, which might allow local users to gain privileges by leveraging access to this account and then waiting for root to execute one of these programs.
local
low complexity
jabberd2 gentoo CWE-732
4.6
2017-10-27 CVE-2017-15945 Incorrect Permission Assignment FOR Critical Resource vulnerability in multiple products
The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link.
local
low complexity
mariadb mysql gentoo CWE-732
7.2
2017-09-25 CVE-2017-14730 Incorrect Permission Assignment FOR Critical Resource vulnerability in Elasticsearch Logstash
The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to a $LS_USER account for creation of a hard link.
local
low complexity
elasticsearch gentoo CWE-732
7.2
2017-09-15 CVE-2017-14484 Improper Privilege Management vulnerability in Gentoo Sci-Mathematics-Gimps 28.10
The Gentoo sci-mathematics/gimps package before 28.10-r1 for Great Internet Mersenne Prime Search (GIMPS) allows local users to gain privileges by creating a hard link under /var/lib/gimps, because an unsafe "chown -R" command is executed.
local
gentoo CWE-269
6.9
2017-09-15 CVE-2017-14483 Race Condition vulnerability in Gentoo Dev-Python-Flower
flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 for Celery Flower sets PID file ownership to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command.
local
low complexity
gentoo CWE-362
4.9
2017-06-27 CVE-2004-2778 Permissions, Privileges, and Access Controls vulnerability in Gentoo Portage
Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which allows local users to read or write to restricted directories or execute restricted commands via navigating to the affected directories, or executing the affected commands.
local
low complexity
gentoo CWE-264
3.6