Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-3369

Overview

Vulnerability Score 8.5 8.5
CVE Id CVE-2009-3369
Last Modified 31 Oct 2009 02:22:56
Published 24 Sep 2009 12:30:02
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2009-3369

Summary

CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in use in a multi-user environment, does not restrict users from the ClientNameAlias function, which allows remote authenticated users to read and write sensitive files by modifying ClientNameAlias to match another system, then initiating a backup or restore.

Vulnerable Systems

Application

  • Craig Barratt Backuppc 3.1.0


References

FEDORA - FEDORA-2009-9973

FEDORA - FEDORA-2009-9982

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=518412

SECUNIA - 37161

SECUNIA - 36393

OSVDB - 57236

MISC - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542218


Last Updated: 27 May 2016 10:51:14