CVE-2014-0243 : Check_MK through 1.2.5i2p1 allows local users to read arbitrary files via a syml

Check_MK through 1.2.5i2p1 allows local users to read arbitrary files via a symlink attack to a file in /var/lib/check_mk_agent/job.

Published 2018-07-19 17:29:00

Updated 2018-09-17 18:04:42

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2014-0243

Check Mk Project » Check Mk
Versions up to, including, (<=) 1.2.5
cpe:2.3:a:check_mk_project:check_mk:*:*:*:*:*:*:*:*
Matching versions
Check Mk Project » Check Mk » Version: 1.2.5 Update I2p1
cpe:2.3:a:check_mk_project:check_mk:1.2.5:i2p1:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-0243

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 16 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-0243

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2014-0243

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-0243

https://www.securityfocus.com/archive/1/532224/100/0/threaded

SecurityFocus
Exploit;Third Party Advisory;VDB Entry
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a2ef8d00c53ec9cbd05c4ae2f09b50761130e7ce

Fix security issue with mk-job on Linux · tribe29/checkmk@a2ef8d0 · GitHub
Patch;Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134160.html

[SECURITY] Fedora 19 Update: check-mk-1.2.4p2-2.fc19
Exploit;Mailing List;Third Party Advisory
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0426323df1641596c4f01ef5a716a3b65276f01c

Fix security issue with mk-job on Linux · tribe29/checkmk@0426323 · GitHub
Patch;Third Party Advisory
http://www.securityfocus.com/bid/67674

Check_MK File Processing Arbitrary File Disclosure Vulnerability
Third Party Advisory;VDB Entry
https://secuniaresearch.flexerasoftware.com/advisories/58536

Sign in
Permissions Required;Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/05/28/1

oss-security - LSE Leading Security Experts GmbH - LSE-2014-05-21 - Check_MK - Arbitrary File Disclosure Vulnerability
Exploit;Mailing List;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1101669

1101669 – (CVE-2014-0243) CVE-2014-0243 check-mk: arbitrary file disclosure flaw as root
Issue Tracking;Patch;Third Party Advisory
http://packetstormsecurity.com/files/126857/Check_MK-Arbitrary-File-Disclosure.html

Check_MK Arbitrary File Disclosure ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://seclists.org/fulldisclosure/2014/May/145

Full Disclosure: LSE Leading Security Experts GmbH - LSE-2014-05-21 - Check_MK - Arbitrary File Disclosure Vulnerability
Mailing List;Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134166.html

[SECURITY] Fedora 20 Update: check-mk-1.2.4p2-2.fc20
Exploit;Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2014-0243

Products affected by CVE-2014-0243

Exploit prediction scoring system (EPSS) score for CVE-2014-0243

CVSS scores for CVE-2014-0243

CWE ids for CVE-2014-0243

References for CVE-2014-0243