Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-3356

Overview

Vulnerability Score 4.6 4.6
CVE Id CVE-2008-3356
Last Modified 07 Mar 2011 10:10:39
Published 05 Aug 2008 03:41:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector LOCAL
Access Complexity LOW
Authentication NONE

CVE-2008-3356

Summary

verifydb in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and other Unix platforms sets the ownership or permissions of an iivdb.log file without verifying that it is the application's own log file, which allows local users to overwrite arbitrary files by creating a symlink with an iivdb.log filename.

Vulnerable Systems

Application

  • Ingres 2.6

  • Ingres 2006


References

CONFIRM - https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181989

XF - ingres-verifydb-symlink(44177)

VUPEN - ADV-2008-2313

VUPEN - ADV-2008-2292

BID - 30512

BUGTRAQ - 20080806 CA Products That Embed Ingres Multiple Vulnerabilities

CONFIRM - http://www.ingres.com/support/security-alert-080108.php

SECTRACK - 1020613

SECUNIA - 31398

SECUNIA - 31357

IDEFENSE - 20080801 Ingres Database for Linux verifydb Insecure File Permissions Modification Vulnerability


Last Updated: 27 May 2016 10:48:10