Vulnerability Details : CVE-2014-2905
fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly check the credentials, which allows local users to gain privileges via the universal variable socket, related to /tmp/fishd.socket.user permissions.
Products affected by CVE-2014-2905
- cpe:2.3:a:fishshell:fish:1.16.0:*:*:*:*:*:*:*
- cpe:2.3:a:fishshell:fish:2.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-2905
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 7 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-2905
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST |
CWE ids for CVE-2014-2905
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2905
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00059.html
[security-announce] openSUSE-SU-2019:2177-1: moderate: Security update for fish3 - openSUSE Security Announce - openSUSE Mailing Lists
-
http://www.openwall.com/lists/oss-security/2014/04/28/4
oss-security - Upcoming security release of fish 2.1.1
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00071.html
[security-announce] openSUSE-SU-2019:2188-1: moderate: Security update for fish3 - openSUSE Security Announce - openSUSE Mailing Lists
-
https://github.com/fish-shell/fish-shell/issues/1436
/tmp/fishd.socket.user permissions checking (CVE-2014-2905) · Issue #1436 · fish-shell/fish-shell · GitHub
Jump to