Vulnerability Details : CVE-2013-0296
Race condition in pigz before 2.2.5 uses permissions derived from the umask when compressing a file before setting that file's permissions to match those of the original file, which might allow local users to bypass intended access permissions while compression is occurring.
Products affected by CVE-2013-0296
- cpe:2.3:a:zlib:pigz:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-0296
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-0296
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST |
CWE ids for CVE-2013-0296
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-0296
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700608
#700608 - pigz creates temp files with too wide permissions (CVE-2013-0296) - Debian Bug report logs
-
http://www.openwall.com/lists/oss-security/2013/02/15/4
oss-security - CVE# request: pigz creates temp file with insecure permissions
-
http://lists.opensuse.org/opensuse-updates/2013-03/msg00106.html
openSUSE-SU-2013:0540-1: moderate: pigz: fixed unpacking permissions
-
http://www.openwall.com/lists/oss-security/2013/02/16/3
oss-security - Re: CVE# request: pigz creates temp file with insecure permissions
-
http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html
[pigz-announce] pigz version 2.2.5 released
Jump to