CVE-2010-3999

EUVD-2010-3975
gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.9 UNKNOWN
LOCAL
MEDIUM
AV:L/AC:M/Au:N/C:C/I:C/A:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
gnucashgnucash
𝑥
≤ 2.3.15
gnucashgnucash
1.8.3
gnucashgnucash
1.8.4
gnucashgnucash
1.8.5
gnucashgnucash
2.0.0
gnucashgnucash
2.0.1
gnucashgnucash
2.2.0
gnucashgnucash
2.2.1
gnucashgnucash
2.2.2
gnucashgnucash
2.2.3
gnucashgnucash
2.2.4
gnucashgnucash
2.2.5
gnucashgnucash
2.2.6
gnucashgnucash
2.2.7
gnucashgnucash
2.2.8
gnucashgnucash
2.2.9
gnucashgnucash
2.3.0
gnucashgnucash
2.3.1
gnucashgnucash
2.3.2
gnucashgnucash
2.3.3
gnucashgnucash
2.3.4
gnucashgnucash
2.3.5
gnucashgnucash
2.3.6
gnucashgnucash
2.3.7
gnucashgnucash
2.3.8
gnucashgnucash
2.3.9
gnucashgnucash
2.3.10
gnucashgnucash
2.3.11
gnucashgnucash
2.3.12
gnucashgnucash
2.3.13
gnucashgnucash
2.3.14
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnucash
bookworm
1:4.13-1
fixed
bullseye
1:4.4-1
fixed
lenny
no-dsa
sid
1:5.8-1
fixed
trixie
1:5.8-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnucash
dapper
ignored
hardy
ignored
karmic
ignored
lucid
ignored
maverick
ignored
natty
ignored
oneiric
ignored
precise
not-affected
quantal
not-affected
raring
ignored
saucy
not-affected
References
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050269.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050164.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050177.html
http://secunia.com/advisories/42048
http://secunia.com/advisories/42054
http://www.mandriva.com/security/advisories?name=MDVSA-2010:241
http://www.securityfocus.com/bid/44563
http://www.vupen.com/english/advisories/2010/2848
http://www.vupen.com/english/advisories/2010/2898
http://www.vupen.com/english/advisories/2010/3060
https://bugzilla.redhat.com/show_bug.cgi?id=644933
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050269.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050164.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050177.html
http://secunia.com/advisories/42048
http://secunia.com/advisories/42054
http://www.mandriva.com/security/advisories?name=MDVSA-2010:241
http://www.securityfocus.com/bid/44563
http://www.vupen.com/english/advisories/2010/2848
http://www.vupen.com/english/advisories/2010/2898
http://www.vupen.com/english/advisories/2010/3060
https://bugzilla.redhat.com/show_bug.cgi?id=644933