Lucene search

[email protected]CVE-2013-2239

HistoryNov 12, 2013 - 2:35 p.m.

CVE-2013-2239

2013-11-1214:35:11

CWE-264

[email protected]

web.nvd.nist.gov

cve-2013-2239

vzkernel

openvz

linux kernel

sensitive information

ioctl

quotactl

nvd

4.7 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

5.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

JSON

vzkernel before 042stab080.2 in the OpenVZ modification for the Linux kernel 2.6.32 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via (1) a crafted ploop driver ioctl call, related to the ploop_getdevice_ioc function in drivers/block/ploop/dev.c, or (2) a crafted quotactl system call, related to the compat_quotactl function in fs/quota/quota.c.

Affected configurations

NVD

Node

openvzvzkernelMatch2.6.32

CPENameOperatorVersion
openvz:vzkernelopenvz vzkerneleq2.6.32

CPE	Name	Operator	Version
openvz:vzkernel	openvz vzkernel	eq	2.6.32

References

openwall.com/lists/oss-security/2013/07/04/9

wiki.openvz.org/Download/kernel/rhel6-testing/042stab080.2

www.debian.org/security/2013/dsa-2766

bugs.gentoo.org/show_bug.cgi?id=475762

security-tracker.debian.org/tracker/CVE-2013-2239

4.7 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

5.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for CVE-2013-2239

redhatcve1 prion1 debiancve1 cvelist1 nvd1 nessus1 osv1 openvas2 debian1