Vulnerability Details : CVE-2020-35513
A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system) functionality was found in the way user create and delete object using NFSv4.2 or newer if both simultaneously accessing the NFS by the other process that is not using new NFSv4.2. A user with access to the NFS could use this flaw to starve the resources causing denial of service.
Vulnerability category: Denial of service
Products affected by CVE-2020-35513
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:4.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-35513
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 35 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-35513
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
1.2
|
3.6
|
NIST |
CWE ids for CVE-2020-35513
-
The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.Assigned by: secalert@redhat.com (Primary)
References for CVE-2020-35513
-
https://patchwork.kernel.org/project/linux-nfs/patch/20180403203916.GH20297@fieldses.org/
nfsd: zero out umask if the client didn't provide one - PatchworkMailing List;Patch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1911309
1911309 – (CVE-2020-35513) CVE-2020-35513 kernel: Nfsd failure to clear umask after processing an open or createIssue Tracking;Patch;Third Party Advisory
Jump to