CVE-2016-1247 : The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS

The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log.

Published 2016-11-29 17:59:00

Updated 2021-12-14 21:04:24

Source Debian GNU/Linux

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2016-1247

Probability of exploitation activity in the next 30 days: 0.09%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 39 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-1247

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-1247

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-1247

http://www.securitytracker.com/id/1037104

nginx on Debian Log File Permissions Let Local Users Gain Elevated Privileges - SecurityTracker
Third Party Advisory;VDB Entry
https://www.youtube.com/watch?v=aTswN1k1fQs

EP 1. G1VE M3 R00T | CVE 2016-1247 - YouTube
Exploit;Third Party Advisory
http://seclists.org/fulldisclosure/2017/Jan/33

Full Disclosure: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE]
Mailing List;Third Party Advisory
http://www.securityfocus.com/bid/93903

Nginx CVE-2016-1247 Remote Privilege Escalation Vulnerability
Third Party Advisory;VDB Entry
http://seclists.org/fulldisclosure/2016/Nov/78

Full Disclosure: Nginx (Debian-based distros) - Root Privilege Escalation Vulnerability (CVE-2016-1247)
Mailing List;Third Party Advisory
http://www.debian.org/security/2016/dsa-3701

Debian -- Security Information -- DSA-3701-1 nginx
Vendor Advisory
https://security.gentoo.org/glsa/201701-22

NGINX: Privilege escalation (GLSA 201701-22) — Gentoo security
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESTIADC7BDB6VTH4JAP6C6OCW2CQ4NHP/

[SECURITY] Fedora 32 Update: nginx-1.20.0-2.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3WOO7E5R2HT5XVOIOFPEFALILVOWZUF/

[SECURITY] Fedora 33 Update: nginx-1.20.0-2.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247
Exploit;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBIZEKHBOCKO7FUMCO4X53ENMWU5OYFX/

[SECURITY] Fedora 34 Update: nginx-1.20.0-2.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
http://www.securityfocus.com/archive/1/539796/100/0/threaded

SecurityFocus
Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/139750/Nginx-Debian-Based-Distros-Root-Privilege-Escalation.html

Nginx Root Privilege Escalation ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://www.exploit-db.com/exploits/40768/

Nginx (Debian Based Distros + Gentoo) - 'logrotate' Local Privilege Escalation
Exploit;Third Party Advisory;VDB Entry
http://www.ubuntu.com/usn/USN-3114-1

USN-3114-1: nginx vulnerability | Ubuntu security notices
Vendor Advisory

Products affected by CVE-2016-1247

F5 » Nginx
Versions up to, including, (<=) 1.10.0
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions
When used together with: Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
F5 » Nginx
Versions up to, including, (<=) 1.10.1
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions
When used together with: Canonical » Ubuntu Linux » Version: 16.10
F5 » Nginx
Versions up to, including, (<=) 1.6.2
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions
When used together with: Debian » Debian Linux » Version: 8.0
F5 » Nginx
Versions up to, including, (<=) 1.4.3
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions
When used together with: Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-1247

Exploit prediction scoring system (EPSS) score for CVE-2016-1247

CVSS scores for CVE-2016-1247

CWE ids for CVE-2016-1247

References for CVE-2016-1247

Products affected by CVE-2016-1247