{"containers":{"cna":{"affected":[{"product":"SUSE Linux Enterprise Server 12","vendor":"SUSE","versions":[{"status":"affected","version":"before and including version 1.3.0-34.18.1"}]},{"product":"SUSE Linux Enterprise Server 15","vendor":"SUSE","versions":[{"status":"affected","version":"before and including version 2.1.1-6.10.2"}]}],"credits":[{"lang":"en","value":"Malte Kraus of SUSE"}],"datePublic":"2019-09-17T00:00:00.000Z","descriptions":[{"lang":"en","value":"The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"LOW","baseScore":5.1,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-276","description":"CWE-276 Incorrect Default Permissions","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2020-07-02T16:06:23.000Z","orgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","shortName":"suse"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://bugzilla.suse.com/show_bug.cgi?id=1150733"},{"name":"[debian-lts-announce] 20191019 [SECURITY] [DLA 1965-1] nfs-utils security update","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.debian.org/debian-lts-announce/2019/10/msg00026.html"},{"name":"openSUSE-SU-2019:2408","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00071.html"},{"name":"openSUSE-SU-2019:2435","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00006.html"},{"tags":["x_refsource_MISC"],"url":"https://git.linux-nfs.org/?p=steved/nfs-utils.git%3Ba=commitdiff%3Bh=fee2cc29e888f2ced6a76990923aef19d326dc0e"},{"name":"USN-4400-1","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://usn.ubuntu.com/4400-1/"}],"source":{"advisory":"https://bugzilla.suse.com/show_bug.cgi?id=1150733","defect":["1150733"],"discovery":"INTERNAL"},"title":"nfs-utils: root-owned files stored in insecure /var/lib/nfs directory","x_generator":{"engine":"Vulnogram 0.0.8"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@suse.com","DATE_PUBLIC":"2019-09-17T00:00:00.000Z","ID":"CVE-2019-3689","STATE":"PUBLIC","TITLE":"nfs-utils: root-owned files stored in insecure /var/lib/nfs directory"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SUSE Linux Enterprise Server 12","version":{"version_data":[{"version_value":"before and including version 1.3.0-34.18.1"}]}},{"product_name":"SUSE Linux Enterprise Server 15","version":{"version_data":[{"version_value":"before and including version 2.1.1-6.10.2"}]}}]},"vendor_name":"SUSE"}]}},"credit":[{"lang":"eng","value":"Malte Kraus of SUSE"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system."}]},"generator":{"engine":"Vulnogram 0.0.8"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"LOW","baseScore":5.1,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-276 Incorrect Default Permissions"}]}]},"references":{"reference_data":[{"name":"https://bugzilla.suse.com/show_bug.cgi?id=1150733","refsource":"CONFIRM","url":"https://bugzilla.suse.com/show_bug.cgi?id=1150733"},{"name":"[debian-lts-announce] 20191019 [SECURITY] [DLA 1965-1] nfs-utils security update","refsource":"MLIST","url":"https://lists.debian.org/debian-lts-announce/2019/10/msg00026.html"},{"name":"openSUSE-SU-2019:2408","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00071.html"},{"name":"openSUSE-SU-2019:2435","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00006.html"},{"name":"https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e","refsource":"MISC","url":"https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e"},{"name":"USN-4400-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/4400-1/"}]},"source":{"advisory":"https://bugzilla.suse.com/show_bug.cgi?id=1150733","defect":["1150733"],"discovery":"INTERNAL"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T19:19:17.496Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://bugzilla.suse.com/show_bug.cgi?id=1150733"},{"name":"[debian-lts-announce] 20191019 [SECURITY] [DLA 1965-1] nfs-utils security update","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2019/10/msg00026.html"},{"name":"openSUSE-SU-2019:2408","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00071.html"},{"name":"openSUSE-SU-2019:2435","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00006.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://git.linux-nfs.org/?p=steved/nfs-utils.git%3Ba=commitdiff%3Bh=fee2cc29e888f2ced6a76990923aef19d326dc0e"},{"name":"USN-4400-1","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://usn.ubuntu.com/4400-1/"}]}]},"cveMetadata":{"assignerOrgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","assignerShortName":"suse","cveId":"CVE-2019-3689","datePublished":"2019-09-19T13:27:58.449Z","dateReserved":"2019-01-03T00:00:00.000Z","dateUpdated":"2024-09-17T04:14:20.947Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}