Home > Vulnerability Database > CVE-2011-0017

Mend.io Vulnerability Database

CVE-2011-0017

Date: February 1, 2011

The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.

Language: C

Severity Score

7.4

Related Resources (19)

Url: https://access.redhat.com/security/cve/CVE-2011-0017

Url: ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74

Url: http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.html

Url: http://osvdb.org/70696

Url: https://exchange.xforce.ibmcloud.com/vulnerabilities/65028

Url: http://www.ubuntu.com/usn/USN-1060-1

Url: http://secunia.com/advisories/43243

Url: http://secunia.com/advisories/43101

Url: http://secunia.com/advisories/43128

Url: http://lists.exim.org/lurker/message/20110126.034702.4d69c278.en.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2011-0017

Url: http://www.securityfocus.com/bid/46065

Url: http://www.vupen.com/english/advisories/2011/0224

Url: http://www.debian.org/security/2011/dsa-2154

Url: http://www.vupen.com/english/advisories/2011/0245

Url: http://www.vupen.com/english/advisories/2011/0464

Url: http://www.vupen.com/english/advisories/2011/0364

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2011-0017

Url: https://www.mend.io/vulnerability-database/CVE-2011-0017

Severity Score

7.4

Weakness Type (CWE)

Improper Input Validation

CWE-20

Improper Link Resolution Before File Access ('Link Following')

CWE-59

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.9
Access Vector (AV):	LOCAL
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	COMPLETE
Integrity (I):	COMPLETE
Availability (A):	COMPLETE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2011-0017

Date: February 1, 2011

Language: C

Severity Score

Related Resources (19)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?