Vulnerability Details : CVE-2015-2285
The logrotation script (/etc/cron.daily/upstart) in the Ubuntu Upstart package before 1.13.2-0ubuntu9, as used in Ubuntu Vivid 15.04, allows local users to execute arbitrary commands and gain privileges via a crafted file in /run/user/*/upstart/sessions/.
Products affected by CVE-2015-2285
- cpe:2.3:a:ubuntu:upstart:*:*:*:*:*:*:*:*
- cpe:2.3:a:ubuntu:vivid:15.04:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2285
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2285
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
CWE ids for CVE-2015-2285
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2285
-
http://www.halfdog.net/Security/2015/UpstartLogrotationPrivilegeEscalation/
Upstart Logrotation Privilege EscalationExploit
-
http://seclists.org/fulldisclosure/2015/Mar/7
Full Disclosure: upstart logrotate privilege escalation in Ubuntu Vivid (development)Exploit
-
http://packetstormsecurity.com/files/130587/Ubuntu-Vivid-Upstart-Privilege-Escalation.html
Ubuntu Vivid Upstart Privilege Escalation ≈ Packet StormExploit
-
https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1425685
Bug #1425685 “Missing input sanitation in upstart logrotation cr...” : Bugs : upstart package : UbuntuExploit;Vendor Advisory
Jump to