CVE-2008-3356
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
6.2 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
5.1%
verifydb in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and other Unix platforms sets the ownership or permissions of an iivdb.log file without verifying that it is the applicationโs own log file, which allows local users to overwrite arbitrary files by creating a symlink with an iivdb.log filename.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ingres:ingres | ingres | eq | 2.6 |
| ingres:ingres | ingres | eq | 2006 |
References
labs.idefense.com/intelligence/vulnerabilities/display.php?id=731
secunia.com/advisories/31357
secunia.com/advisories/31398
securitytracker.com/id?1020613
www.ingres.com/support/security-alert-080108.php
www.securityfocus.com/archive/1/495177/100/0/threaded
www.securityfocus.com/bid/30512
www.vupen.com/english/advisories/2008/2292
www.vupen.com/english/advisories/2008/2313
exchange.xforce.ibmcloud.com/vulnerabilities/44177
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181989
Related
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
6.2 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
5.1%