Vulnerability Details : CVE-2012-0878
Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.
Products affected by CVE-2012-0878
- cpe:2.3:a:pythonpaste:paste:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-0878
4.91%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-0878
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.1
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:P |
4.9
|
6.4
|
NIST |
CWE ids for CVE-2012-0878
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0878
-
https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve
404 — BitbucketPatch
-
http://www.openwall.com/lists/oss-security/2012/02/23/4
oss-security - Re: CVE Request -- python-paste-script: Supplementary groups not dropped when started an application with "paster serve" as root
-
https://bugzilla.redhat.com/show_bug.cgi?id=796790
796790 – (CVE-2012-0878) CVE-2012-0878 python-paste-script: Supplementary groups not dropped when started an application with "paster serve" as root
-
https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4
404 — BitbucketPatch
-
http://rhn.redhat.com/errata/RHSA-2012-1206.html
RHSA-2012:1206 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2012/02/23/1
oss-security - CVE Request -- python-paste-script: Supplementary groups not dropped when started an application with "paster serve" as rootPatch
-
http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471
initgroups - Google Groepen
Jump to