CVE-2017-18226

EUVD-2017-9358
The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of /var/run/jabber to the jabber account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script executes a "kill -TERM `cat /var/run/jabber/filename.pid`" command.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
jabberd2jabberd2
𝑥
≤ 2.6.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jabberd2
bookworm
ignored
bullseye
ignored
buster
ignored
sid
vulnerable
stretch
ignored
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jabberd2
bionic
not-affected
focal
not-affected
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://bugs.gentoo.org/631068
https://bugs.gentoo.org/631068