Input validation error in collectd - CVE-2017-18240
Published: March 19, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU37389
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-18240
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: collectd
Affected software:
collectd
collectd
Detailed vulnerability description
The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownership of PID file directory to the collectd account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL (when the service is stopped).
How to mitigate CVE-2017-18240
Install update from vendor's website.