CVE-2018-19044

keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.7 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
VendorProductVersion
keepalivedkeepalived
2.0.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
keepalived
bullseye
1:2.1.5-0.2+deb11u1
fixed
bookworm
1:2.2.7-1
fixed
sid
1:2.3.1-1
fixed
trixie
1:2.3.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
keepalived
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
ignored
bionic
needed
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2019:2285
https://bugzilla.suse.com/show_bug.cgi?id=1015141
https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306
https://github.com/acassen/keepalived/issues/1048
https://security.gentoo.org/glsa/201903-01
https://access.redhat.com/errata/RHSA-2019:2285
https://bugzilla.suse.com/show_bug.cgi?id=1015141
https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306
https://github.com/acassen/keepalived/issues/1048
https://security.gentoo.org/glsa/201903-01