VDB
CVE-2019-3844
CVE-2019-3844
PUBLISHED
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.
EPSS 0.15% · 35.5th percentile
Risk Scores
EPSS Score
0.15%
35.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | systemd | 234-2ubuntu12, 235-3ubuntu2, 235-3ubuntu3 |
Exploit Intelligence
- systemd DynamicUser SetUID Binary Creation Exploit (0day-today)
- systemd DynamicUser SetUID Binary Creation Exploit (0day-today)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
Timeline
- Apr 26, 2019 PoC Published
- Apr 26, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Jun 29, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-3844 third-party-advisory
- https://ubuntu.com/security/notices/USN-4269-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-3844 third-party-advisory