CVE-2015-1350

Advisory lineage Upstream: 0 Downstream: 12

Downstream

DEBIAN-CVE-2015-1350 DLA-772-1 SUSE-SU-2017:0181-1 SUSE-SU-2017:0333-1 SUSE-SU-2017:0437-1 SUSE-SU-2017:0494-1

Modified

Published: 02 May 2016, 10:00

Last modified:06 Aug 2024, 04:40

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

5.5 MEDIUM

v3.1 (nvd)

EPSS Score

0.07% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

02 May 2016, 10:00

Published

Vulnerability first disclosed

06 Aug 2024, 04:40

Last Modified

Vulnerability information updated

Description

The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
v2.0•LOW•Score: 2.1AV:L/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.07%• Percentile: 20%

Techniques & Countermeasures

CWE-552•Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.

Affected Systems

linux•linux_kernel
≥ 3.0, ≤ 3.19.8
redhat•enterprise_linux
5.0 | 6.0 | 7.0
redhat•enterprise_mrg
2.0