Information exposure in Linux kernel - CVE-2003-0476
Published: August 7, 2003 / Updated: May 3, 2018
Vulnerability identifier: #VU99959
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2003-0476
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to gain access to sensitive information.
The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.
How to mitigate CVE-2003-0476
Install update from vendor's repository.
Sources
- http://marc.info/?l=bugtraq&m=105664924024009&w=2
- http://www.debian.org/security/2004/dsa-358
- http://www.debian.org/security/2004/dsa-423
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:074
- http://www.redhat.com/support/errata/RHSA-2003-238.html
- http://www.redhat.com/support/errata/RHSA-2003-368.html
- http://www.redhat.com/support/errata/RHSA-2003-408.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A327