CVE-2014-9091

EUVD-2014-8917
Icecast before 2.4.0 does not change the supplementary group privileges when <changeowner> is configured, which allows local users to gain privileges via unspecified vectors.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.6 UNKNOWN
LOCAL
LOW
AV:L/AC:L/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
icecasticecast
𝑥
≤ 2.3.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icecast2
bookworm
2.4.4-4
fixed
bullseye
2.4.4-4
fixed
sid
2.4.4-4
fixed
squeeze
no-dsa
trixie
2.4.4-4
fixed
wheezy
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icecast2
lucid
ignored
precise
ignored
trusty
Fixed 2.3.3-2ubuntu1.14.04.1
released
utopic
Fixed 2.3.3-2ubuntu1.14.10.1
released
vivid
not-affected
wily
not-affected
xenial
not-affected
yakkety
not-affected
zesty
not-affected
Common Weakness Enumeration
References
http://icecast.org/news/icecast-release-2_4_0/
http://lists.opensuse.org/opensuse-updates/2014-12/msg00037.html
http://seclists.org/oss-sec/2014/q4/794
http://seclists.org/oss-sec/2014/q4/802
https://bugzilla.redhat.com/show_bug.cgi?id=1168146
https://trac.xiph.org/changeset/19137/
http://icecast.org/news/icecast-release-2_4_0/
http://lists.opensuse.org/opensuse-updates/2014-12/msg00037.html
http://seclists.org/oss-sec/2014/q4/794
http://seclists.org/oss-sec/2014/q4/802
https://bugzilla.redhat.com/show_bug.cgi?id=1168146
https://trac.xiph.org/changeset/19137/