Inclusion of Functionality from Untrusted Control Sphere

Affecting procps package, versions <2:3.3.9-9+deb8u1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.

References

CVSS Score

7.0
high severity
  • Attack Vector
    Local
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE
CVE-2018-1122
CWE
CWE-829
Snyk ID
SNYK-DEBIAN8-PROCPS-309322
Disclosed
23 May, 2018
Published
23 May, 2018