Vulnerability Details : CVE-2016-8605
The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected.
Products affected by CVE-2016-8605
- cpe:2.3:a:gnu:guile:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-8605
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-8605
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2016-8605
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-8605
-
http://www.openwall.com/lists/oss-security/2016/10/12/1
oss-security - Re: CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modificationMailing List;Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJP5S36GTXMDEBXWF6LKKV76DSLNQG44/
[SECURITY] Fedora 24 Update: guile-2.0.13-1.fc24 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QTAGSDCTYXTABAA77BQJGNKOOBRV4DK/
[SECURITY] Fedora 25 Update: guile-2.0.13-1.fc25 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
http://www.securityfocus.com/bid/93510
GNU Guile CVE-2016-8605 Local Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNVE5N24FLWDYBQ3LAFMF6BFCWKDO7VM/
[SECURITY] Fedora 23 Update: guile-2.0.13-1.fc23 - package-announce - Fedora Mailing-ListsThird Party Advisory
Jump to