Vulnerability Details : CVE-2006-7098
The Debian GNU/Linux 033_-F_NO_SETSID patch for the Apache HTTP Server 1.3.34-4 does not properly disassociate httpd from a controlling tty when httpd is started interactively, which allows local users to gain privileges to that tty via a CGI program that calls the TIOCSTI ioctl.
Products affected by CVE-2006-7098
- cpe:2.3:a:debian:apache:1.3.34.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2006-7098
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2006-7098
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.6
|
MEDIUM | AV:L/AC:M/Au:S/C:C/I:C/A:C |
2.7
|
10.0
|
NIST |
CWE ids for CVE-2006-7098
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2006-7098
-
Red Hat 2007-03-05Not vulnerable. This issue was specific to a Debian patch to Apache HTTP Server.
-
Apache 2008-07-02This issue did not affect the upstream Apache HTTP Server versions.
References for CVE-2006-7098
Jump to