SB2017061387 - Information disclosure in dropbear (Alpine package)
Published: June 13, 2017
Security Bulletin ID
SB2017061387
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Information disclosure (CVE-ID: CVE-2017-9079)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the application allows usage of symlinks when configured with authorized_keys file format and a command= option. A local user can read certain files on the system with root privileges.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=ea5e2a6272e38458c8d64e5cb59cfc089a5c9a93
- https://git.alpinelinux.org/aports/commit/?id=9ee60284bf43844b66bb000070cc8cff672140a1
- https://git.alpinelinux.org/aports/commit/?id=b204c902de27dc4e5e9efddb3dd9af012c70e268
- https://git.alpinelinux.org/aports/commit/?id=b798fc52c6aa85782652617ee817f26a9412f861