CVE-2017-6964

CVSS v3.1 7.8 (High)

CVSS v2.0 7.2 (High)

EPSS 0.06 % (26^th)

Affected Products 2

Advisories 2

dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute code, which was intended to run as an unprivileged user, as root. This affects eject through 2.1.5+deb1+cvs20081104-13.1 on Debian, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 LTS, and eject before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 LTS.

Weaknesses

CWE-252: Unchecked Return Value

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2017-03-28 01:59:01
(7 years ago)
Updated Date: 2024-01-21 01:37:24
(8 months ago)

Affected Products

Canonical

Ubuntu Linux

Debian

Debian Linux

Configuration #1

		CPE23	From	Up To
	Canonical Ubuntu Linux 12.04	cpe:2.3:o:canonical:ubuntu_linux:12.04:::*:lts
	Canonical Ubuntu Linux 14.04	cpe:2.3:o:canonical:ubuntu_linux:14.04:::*:lts
	Canonical Ubuntu Linux 16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04:::*:lts
	Canonical Ubuntu Linux 16.10	cpe:2.3:o:canonical:ubuntu_linux:16.10

Configuration #2

		CPE23	From	Up To
	Debian Linux 8.0	cpe:2.3:o:debian:debian_linux:8.0