CVE-2019-3689
Publication date 19 September 2019
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.
Status
Package | Ubuntu Release | Status |
---|---|---|
nfs-utils | 24.10 oracular |
Fixed 1:1.3.4-2.5ubuntu5
|
24.04 LTS noble |
Fixed 1:1.3.4-2.5ubuntu5
|
|
22.04 LTS jammy |
Fixed 1:1.3.4-2.5ubuntu5
|
|
20.04 LTS focal |
Fixed 1:1.3.4-2.5ubuntu3.3
|
|
18.04 LTS bionic |
Fixed 1:1.3.4-2.1ubuntu5.3
|
|
16.04 LTS xenial |
Fixed 1:1.2.8-9ubuntu12.3
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed |
Patch details
Package | Patch details |
---|---|
nfs-utils |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 · Critical |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4400-1
- nfs-utils vulnerability
- 22 June 2020