VDB
CVE-2009-4411
CVE-2009-4411
PUBLISHED
CVSS 3.700000047683716 LOW
The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.
EPSS 0.07% · 21.0th percentile
Risk Scores
CVSS 2.0
3.700000047683716
EPSS Score
0.07%
21.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| xfs | acl | 2.2.47 |
Timeline
- Dec 24, 2009 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- http://oss.sgi.com/bugzilla/show_bug.cgi?id=790 url
- 61302 vdb
- http://git.savannah.gnu.org/cgit/acl.git/commit/?id=63451a0 url
- 37455 vdb
- 37907 third-party-advisory
- [oss-security] 20091223 CVE request: acl 2.2.47 always follows symlinks mailing-list
- MDVSA-2009:345 vendor-advisory
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076 url
- SUSE-SR:2010:002 vendor-advisory
- 38420 third-party-advisory
- acl-setfacl-getfacl-symlink(55004) vdb
- https://nvd.nist.gov/vuln/detail/CVE-2009-4411 advisory