CVE-2017-14730

EUVD-2017-6227
The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to a $LS_USER account for creation of a hard link.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Affected Products (NVD)
VendorProductVersion
elasticsearchlogstash
5.0.0
elasticsearchlogstash
5.0.1
elasticsearchlogstash
5.0.2
elasticsearchlogstash
5.1.1
elasticsearchlogstash
5.1.2
elasticsearchlogstash
5.2.0
elasticsearchlogstash
5.2.1
elasticsearchlogstash
5.3.0
elasticsearchlogstash
5.3.1
elasticsearchlogstash
5.3.2
elasticsearchlogstash
5.4.1
elasticsearchlogstash
5.4.2
elasticsearchlogstash
5.4.3
elasticsearchlogstash
5.5.0
elasticsearchlogstash
5.5.1
elasticsearchlogstash
5.5.2
elasticsearchlogstash
5.6.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugs.gentoo.org/628558
https://github.com/gentoo/gentoo/pull/5665
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18f97c851c209f291b31ae7a902719f1c17c79fa
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbd6cb398c1740c68e9b1b78340c887c58c1fbda
https://bugs.gentoo.org/628558
https://github.com/gentoo/gentoo/pull/5665
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18f97c851c209f291b31ae7a902719f1c17c79fa
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbd6cb398c1740c68e9b1b78340c887c58c1fbda