Vulnerability Details : CVE-2008-5110
syslog-ng does not call chdir when it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. This flaw affects syslog-ng versions prior to and including 2.0.9.
Products affected by CVE-2008-5110
- cpe:2.3:a:oneidentity:syslog-ng:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-5110
0.96%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-5110
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
References for CVE-2008-5110
-
http://www.vupen.com/english/advisories/2010/1796
Webmail | OVH- OVHPermissions Required;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2008/11/17/3
oss-security - CVE Request (syslog-ng)Mailing List;Third Party Advisory
-
http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083
Broken Link
-
http://security.gentoo.org/glsa/glsa-200907-10.xml
Syslog-ng: Chroot escape (GLSA 200907-10) — Gentoo securityThird Party Advisory
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791
#505791 - syslog-ng doesn't chdir before chroot - Debian Bug report logsIssue Tracking;Third Party Advisory
Jump to