CVE-2019-3843
26.04.2019, 21:29
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.Enginsight
| Vendor | Product | Version |
|---|---|---|
| systemd_project | systemd | 𝑥 < 242 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 19.10 |
| netapp | hci_management_node | - |
| netapp | snapprotect | - |
| netapp | solidfire | - |
| netapp | cn1610_firmware | - |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-266 - Incorrect Privilege AssignmentA product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
- CWE-269 - Improper Privilege ManagementThe software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
References