製品・ソフトウェアに関する情報

JVN脆弱性詳細

Exim の open_log 機能における任意のファイルにログデータをアペンドさせる脆弱性

Title	Exim の open_log 機能における任意のファイルにログデータをアペンドさせる脆弱性
Summary	Exim の log.c の open_log 機能は、(1) setuid または (2) setgid システムコールの戻り値をチェックしないため、任意のファイルへログデータをアペンドさせる脆弱性が存在します。
Possible impacts	ローカルユーザにより、シンボリックリンク攻撃を介して、任意のファイルへログデータをアペンドさせる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 12, 2010, midnight
Registration Date	March 27, 2012, 6:42 p.m.
Last Update	March 27, 2012, 6:42 p.m.

CVSS2.0 : 警告
Score	6.9
Vector	AV:L/AC:M/Au:N/C:C/I:C/A:C

Affected System

Exim Development

Exim 4.72 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-0017	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0017
National Vulnerability Database (NVD)
2	CVE-2011-0017	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0017

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html
2	CWE-59	https://jvndb.jvn.jp/ja/cwe/CWE-59.html

ベンダー情報

No	Name	URL
Exim
1	Change log file for Exim from version 4.21	ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74

Change Log

No	Changed Details	Date of change
0	[2012年03月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-0017

Summary	The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
Publication Date	Feb. 2, 2011, 10 a.m.
Registration Date	Jan. 28, 2021, 4:37 p.m.
Last Update	Nov. 21, 2024, 10:23 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:exim:exim:2.11:::::::*
cpe:2.3:a:exim:exim:4.70:::::::*
cpe:2.3:a:exim:exim:4.69:::::::*
cpe:2.3:a:exim:exim:4.66:::::::*
cpe:2.3:a:exim:exim:4.10:::::::*
cpe:2.3:a:exim:exim:3.16:::::::*
cpe:2.3:a:exim:exim:3.21:::::::*
cpe:2.3:a:exim:exim:3.01:::::::*
cpe:2.3:a:exim:exim:3.31:::::::*
cpe:2.3:a:exim:exim:4.24:::::::*
cpe:2.3:a:exim:exim:3.33:::::::*
cpe:2.3:a:exim:exim:3.30:::::::*
cpe:2.3:a:exim:exim::::::::		4.72
cpe:2.3:a:exim:exim:4.30:::::::*
cpe:2.3:a:exim:exim:4.21:::::::*
cpe:2.3:a:exim:exim:4.03:::::::*
cpe:2.3:a:exim:exim:4.51:::::::*
cpe:2.3:a:exim:exim:4.71:::::::*
cpe:2.3:a:exim:exim:4.67:::::::*
cpe:2.3:a:exim:exim:4.63:::::::*
cpe:2.3:a:exim:exim:4.00:::::::*
cpe:2.3:a:exim:exim:4.43:::::::*
cpe:2.3:a:exim:exim:4.22:::::::*
cpe:2.3:a:exim:exim:3.10:::::::*
cpe:2.3:a:exim:exim:4.40:::::::*
cpe:2.3:a:exim:exim:4.52:::::::*
cpe:2.3:a:exim:exim:3.36:::::::*
cpe:2.3:a:exim:exim:3.15:::::::*
cpe:2.3:a:exim:exim:4.60:::::::*
cpe:2.3:a:exim:exim:4.61:::::::*
cpe:2.3:a:exim:exim:2.12:::::::*
cpe:2.3:a:exim:exim:4.68:::::::*
cpe:2.3:a:exim:exim:4.54:::::::*
cpe:2.3:a:exim:exim:4.02:::::::*
cpe:2.3:a:exim:exim:4.23:::::::*
cpe:2.3:a:exim:exim:4.01:::::::*
cpe:2.3:a:exim:exim:3.34:::::::*
cpe:2.3:a:exim:exim:3.00:::::::*
cpe:2.3:a:exim:exim:4.62:::::::*
cpe:2.3:a:exim:exim:3.02:::::::*
cpe:2.3:a:exim:exim:3.03:::::::*
cpe:2.3:a:exim:exim:3.12:::::::*
cpe:2.3:a:exim:exim:3.20:::::::*
cpe:2.3:a:exim:exim:4.12:::::::*
cpe:2.3:a:exim:exim:3.22:::::::*
cpe:2.3:a:exim:exim:4.32:::::::*
cpe:2.3:a:exim:exim:4.11:::::::*
cpe:2.3:a:exim:exim:4.42:::::::*
cpe:2.3:a:exim:exim:4.05:::::::*
cpe:2.3:a:exim:exim:4.31:::::::*
cpe:2.3:a:exim:exim:3.14:::::::*
cpe:2.3:a:exim:exim:3.11:::::::*
cpe:2.3:a:exim:exim:3.35:::::::*
cpe:2.3:a:exim:exim:4.44:::::::*
cpe:2.3:a:exim:exim:4.14:::::::*
cpe:2.3:a:exim:exim:4.64:::::::*
cpe:2.3:a:exim:exim:4.04:::::::*
cpe:2.3:a:exim:exim:4.41:::::::*
cpe:2.3:a:exim:exim:4.20:::::::*
cpe:2.3:a:exim:exim:2.10:::::::*
cpe:2.3:a:exim:exim:4.65:::::::*
cpe:2.3:a:exim:exim:4.53:::::::*
cpe:2.3:a:exim:exim:4.33:::::::*
cpe:2.3:a:exim:exim:3.13:::::::*
cpe:2.3:a:exim:exim:4.50:::::::*
cpe:2.3:a:exim:exim:3.32:::::::*
cpe:2.3:a:exim:exim:4.34:::::::*

Related information, measures and tools

No	URL	タグ
1	ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74
2	http://lists.exim.org/lurker/message/20110126.034702.4d69c278.en.html	Patch
3	http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.html
4	http://osvdb.org/70696
5	http://secunia.com/advisories/43101	Vendor Advisory
6	http://secunia.com/advisories/43128	Vendor Advisory
7	http://secunia.com/advisories/43243
8	http://www.debian.org/security/2011/dsa-2154
9	http://www.securityfocus.com/bid/46065
10	http://www.ubuntu.com/usn/USN-1060-1
11	http://www.vupen.com/english/advisories/2011/0224	Vendor Advisory
12	http://www.vupen.com/english/advisories/2011/0245	Vendor Advisory
13	http://www.vupen.com/english/advisories/2011/0364
14	http://www.vupen.com/english/advisories/2011/0464
15	https://exchange.xforce.ibmcloud.com/vulnerabilities/65028
16	ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74
17	https://exchange.xforce.ibmcloud.com/vulnerabilities/65028
18	http://www.vupen.com/english/advisories/2011/0464
19	http://www.vupen.com/english/advisories/2011/0364
20	http://www.vupen.com/english/advisories/2011/0245	Vendor Advisory
21	http://www.vupen.com/english/advisories/2011/0224	Vendor Advisory
22	http://www.ubuntu.com/usn/USN-1060-1
23	http://www.securityfocus.com/bid/46065
24	http://www.debian.org/security/2011/dsa-2154
25	http://secunia.com/advisories/43243
26	http://secunia.com/advisories/43128	Vendor Advisory
27	http://secunia.com/advisories/43101	Vendor Advisory
28	http://osvdb.org/70696
29	http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.html
30	http://lists.exim.org/lurker/message/20110126.034702.4d69c278.en.html	Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html
2	CWE-59	リンク解釈の問題	https://cwe.mitre.org/data/definitions/59.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:exim:exim:2.11:::::::*
cpe:2.3:a:exim:exim:4.70:::::::*
cpe:2.3:a:exim:exim:4.69:::::::*
cpe:2.3:a:exim:exim:4.66:::::::*
cpe:2.3:a:exim:exim:4.10:::::::*
cpe:2.3:a:exim:exim:3.16:::::::*
cpe:2.3:a:exim:exim:3.21:::::::*
cpe:2.3:a:exim:exim:3.01:::::::*
cpe:2.3:a:exim:exim:3.31:::::::*
cpe:2.3:a:exim:exim:4.24:::::::*
cpe:2.3:a:exim:exim:3.33:::::::*
cpe:2.3:a:exim:exim:3.30:::::::*
cpe:2.3:a:exim:exim::::::::		4.72
cpe:2.3:a:exim:exim:4.30:::::::*
cpe:2.3:a:exim:exim:4.21:::::::*
cpe:2.3:a:exim:exim:4.03:::::::*
cpe:2.3:a:exim:exim:4.51:::::::*
cpe:2.3:a:exim:exim:4.71:::::::*
cpe:2.3:a:exim:exim:4.67:::::::*
cpe:2.3:a:exim:exim:4.63:::::::*
cpe:2.3:a:exim:exim:4.00:::::::*
cpe:2.3:a:exim:exim:4.43:::::::*
cpe:2.3:a:exim:exim:4.22:::::::*
cpe:2.3:a:exim:exim:3.10:::::::*
cpe:2.3:a:exim:exim:4.40:::::::*
cpe:2.3:a:exim:exim:4.52:::::::*
cpe:2.3:a:exim:exim:3.36:::::::*
cpe:2.3:a:exim:exim:3.15:::::::*
cpe:2.3:a:exim:exim:4.60:::::::*
cpe:2.3:a:exim:exim:4.61:::::::*
cpe:2.3:a:exim:exim:2.12:::::::*
cpe:2.3:a:exim:exim:4.68:::::::*
cpe:2.3:a:exim:exim:4.54:::::::*
cpe:2.3:a:exim:exim:4.02:::::::*
cpe:2.3:a:exim:exim:4.23:::::::*
cpe:2.3:a:exim:exim:4.01:::::::*
cpe:2.3:a:exim:exim:3.34:::::::*
cpe:2.3:a:exim:exim:3.00:::::::*
cpe:2.3:a:exim:exim:4.62:::::::*
cpe:2.3:a:exim:exim:3.02:::::::*
cpe:2.3:a:exim:exim:3.03:::::::*
cpe:2.3:a:exim:exim:3.12:::::::*
cpe:2.3:a:exim:exim:3.20:::::::*
cpe:2.3:a:exim:exim:4.12:::::::*
cpe:2.3:a:exim:exim:3.22:::::::*
cpe:2.3:a:exim:exim:4.32:::::::*
cpe:2.3:a:exim:exim:4.11:::::::*
cpe:2.3:a:exim:exim:4.42:::::::*
cpe:2.3:a:exim:exim:4.05:::::::*
cpe:2.3:a:exim:exim:4.31:::::::*
cpe:2.3:a:exim:exim:3.14:::::::*
cpe:2.3:a:exim:exim:3.11:::::::*
cpe:2.3:a:exim:exim:3.35:::::::*
cpe:2.3:a:exim:exim:4.44:::::::*
cpe:2.3:a:exim:exim:4.14:::::::*
cpe:2.3:a:exim:exim:4.64:::::::*
cpe:2.3:a:exim:exim:4.04:::::::*
cpe:2.3:a:exim:exim:4.41:::::::*
cpe:2.3:a:exim:exim:4.20:::::::*
cpe:2.3:a:exim:exim:2.10:::::::*
cpe:2.3:a:exim:exim:4.65:::::::*
cpe:2.3:a:exim:exim:4.53:::::::*
cpe:2.3:a:exim:exim:4.33:::::::*
cpe:2.3:a:exim:exim:3.13:::::::*
cpe:2.3:a:exim:exim:4.50:::::::*
cpe:2.3:a:exim:exim:3.32:::::::*
cpe:2.3:a:exim:exim:4.34:::::::*