CVE-2019-3689

The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
suseCNA
5.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
VendorProductVersion
linux-nfsnfs-utils
𝑥
≤ 1.3.0-34.18.1
linux-nfsnfs-utils
𝑥
≤ 2.1.1-6.10.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nfs-utils
bullseye
1:1.3.4-6+deb11u1
fixed
bookworm
1:2.6.2-4
fixed
sid
1:2.8.1-1
fixed
trixie
1:2.8.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nfs-utils
noble
Fixed 1:1.3.4-2.5ubuntu5
released
mantic
Fixed 1:1.3.4-2.5ubuntu5
released
lunar
Fixed 1:1.3.4-2.5ubuntu5
released
kinetic
Fixed 1:1.3.4-2.5ubuntu5
released
jammy
Fixed 1:1.3.4-2.5ubuntu5
released
impish
Fixed 1:1.3.4-2.5ubuntu5
released
hirsute
Fixed 1:1.3.4-2.5ubuntu5
released
groovy
Fixed 1:1.3.4-2.5ubuntu5
released
focal
Fixed 1:1.3.4-2.5ubuntu3.3
released
eoan
Fixed 1:1.3.4-2.5ubuntu2.1
released
disco
ignored
bionic
Fixed 1:1.3.4-2.1ubuntu5.3
released
xenial
Fixed 1:1.2.8-9ubuntu12.3
released
trusty
needed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00071.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00006.html
https://bugzilla.suse.com/show_bug.cgi?id=1150733
https://git.linux-nfs.org/?p=steved/nfs-utils.git%3Ba=commitdiff%3Bh=fee2cc29e888f2ced6a76990923aef19d326dc0e
https://lists.debian.org/debian-lts-announce/2019/10/msg00026.html
https://usn.ubuntu.com/4400-1/
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00071.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00006.html
https://bugzilla.suse.com/show_bug.cgi?id=1150733
https://git.linux-nfs.org/?p=steved/nfs-utils.git%3Ba=commitdiff%3Bh=fee2cc29e888f2ced6a76990923aef19d326dc0e
https://lists.debian.org/debian-lts-announce/2019/10/msg00026.html
https://usn.ubuntu.com/4400-1/