VDB
CVE-2017-6964
CVE-2017-6964
PUBLISHED
dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute code, which was intended to run as an unprivileged user, as root. This affects eject through 2.1.5+deb1+cvs20081104-13.1 on Debian, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 LTS, and eject before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 LTS.
EPSS 0.09% · 24.9th percentile
Risk Scores
EPSS Score
0.09%
24.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | eject | 0, 2.1.5+deb1+cvs20081104-13, 2.1.5+deb1+cvs20081104-13.1 |
| Ubuntu:16.04:LTS | eject | 2.1.5+deb1+cvs20081104-13.1, 0 |
Exploit Intelligence
- DSA-3823 (circl)
- https://www.ubuntu.com/usn/usn-3246-1/ (circl)
- 97154 (circl)
- https://launchpad.net/bugs/1673627 (circl)
Timeline
- Mar 27, 2017 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-6964 third-party-advisory
- https://ubuntu.com/security/notices/USN-3246-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-6964 third-party-advisory