Vulnerability Details : CVE-2009-3289
The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.
Products affected by CVE-2009-3289
- cpe:2.3:o:suse:suse_linux_enterprise_server:11:-:*:*:*:*:*:*
- cpe:2.3:a:gnome:glib:2.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-3289
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3289
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | 2024-02-08 |
CWE ids for CVE-2009-3289
-
Assigned by: nvd@nist.gov (Primary)
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-3289
-
Red Hat 2009-09-23Not vulnerable. This issue does not affect the versions of glib2 as shipped with Red Hat Enterprise Linux 3, 4, or 5.
References for CVE-2009-3289
-
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:010Third Party Advisory
-
https://bugzilla.gnome.org/show_bug.cgi?id=593406
Bug 593406 – Permissions on user home directory (source) set to 777 after copying it via nautilusExploit;Issue Tracking
-
https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/418135
Bug #418135 “Permissions of symlinked source file/folder set to ...” : Bugs : glib2.0 package : UbuntuExploit;Issue Tracking
-
http://www.openwall.com/lists/oss-security/2009/09/08/8
oss-security - CVE Request - glib symlink copying permission exposureMailing List
-
http://www.vupen.com/english/advisories/2010/1001
Webmail | OVH- OVHPermissions Required
-
http://secunia.com/advisories/39656
Sign inBroken Link
Jump to