{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-06-18T00:00:00", "descriptions": [{"lang": "en", "value": "libgssapi and libgssglue before 0.4 do not properly check privileges, which allows local users to load untrusted configuration files and execute arbitrary code via the GSSAPI_MECH_CONF environment variable, as demonstrated using mount.nfs."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-03-02T10:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20110721 CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2011/07/21/3"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.novell.com/show_bug.cgi?id=694598"}, {"name": "FEDORA-2012-7971", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082297.html"}, {"name": "45075", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/45075"}, {"name": "48490", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/48490"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.citi.umich.edu/projects/nfsv4/linux/libgssglue/libgssglue-0.4.tar.gz"}, {"name": "[oss-security] 20110722 Re: CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2011/07/22/4"}, {"name": "FEDORA-2012-8067", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082072.html"}, {"name": "[oss-security] 20110812 Re: CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2011/08/12/10"}, {"name": "50785", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/50785"}, {"name": "50973", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/50973"}, {"name": "SUSE-SU-2011:0696", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lwn.net/Alerts/449415/"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T23:08:23.803Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20110721 CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2011/07/21/3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.novell.com/show_bug.cgi?id=694598"}, {"name": "FEDORA-2012-7971", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082297.html"}, {"name": "45075", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/45075"}, {"name": "48490", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/48490"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.citi.umich.edu/projects/nfsv4/linux/libgssglue/libgssglue-0.4.tar.gz"}, {"name": "[oss-security] 20110722 Re: CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2011/07/22/4"}, {"name": "FEDORA-2012-8067", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082072.html"}, {"name": "[oss-security] 20110812 Re: CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2011/08/12/10"}, {"name": "50785", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/50785"}, {"name": "50973", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/50973"}, {"name": "SUSE-SU-2011:0696", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lwn.net/Alerts/449415/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2011-2709", "datePublished": "2012-06-21T15:00:00", "dateReserved": "2011-07-11T00:00:00", "dateUpdated": "2024-08-06T23:08:23.803Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:umich:libgssglue:*:*:*:*:*:*:*:*", "matchCriteriaId": "A99E8102-9FD5-4E76-AFFE-F288A39E69EA", "versionEndIncluding": "0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:umich:libgssglue:0.1:*:*:*:*:*:*:*", "matchCriteriaId": "F6BF044B-AEAE-466E-85F4-56189E1D20BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:umich:libgssglue:0.2:*:*:*:*:*:*:*", "matchCriteriaId": "00C99322-444D-4DE0-BE28-A19A27490B79", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:umich:libgssapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "64EEA101-71A3-4A16-87B6-F9E7D8B1BD21", "versionEndIncluding": "0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:umich:libgssapi:0.1:*:*:*:*:*:*:*", "matchCriteriaId": "7159CB27-5C35-4774-9815-8CF32DB4B11F", "vulnerable": true}, {"criteria": "cpe:2.3:a:umich:libgssapi:0.2:*:*:*:*:*:*:*", "matchCriteriaId": "AA127D0D-7031-45E9-A513-CCF435C424FA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libgssapi and libgssglue before 0.4 do not properly check privileges, which allows local users to load untrusted configuration files and execute arbitrary code via the GSSAPI_MECH_CONF environment variable, as demonstrated using mount.nfs."}, {"lang": "es", "value": "libgssapi y libgssglue antes de v0.4 no comprueba correctamente los privilegios, lo que permite cargar archivos de configuraci\u00f3n no confiables a usuarios locales y ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de la variable de entorno GSSAPI_MECH_CONF, como se ha demostrado utilizando mount.nfs."}], "id": "CVE-2011-2709", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 1.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-06-21T15:55:10.347", "references": [{"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082072.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082297.html"}, {"source": "secalert@redhat.com", "url": "http://lwn.net/Alerts/449415/"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/45075"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/50785"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/50973"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://www.citi.umich.edu/projects/nfsv4/linux/libgssglue/libgssglue-0.4.tar.gz"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2011/07/21/3"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2011/07/22/4"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2011/08/12/10"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/48490"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.novell.com/show_bug.cgi?id=694598"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082072.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082297.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lwn.net/Alerts/449415/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/45075"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/50785"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/50973"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.citi.umich.edu/projects/nfsv4/linux/libgssglue/libgssglue-0.4.tar.gz"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2011/07/21/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2011/07/22/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2011/08/12/10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/48490"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.novell.com/show_bug.cgi?id=694598"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "libgssglue: Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization", "id": "724005", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=724005"}, "csaw": false, "cvss": {"cvss_base_score": "6.2", "cvss_scoring_vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "draft"}, "details": ["libgssapi and libgssglue before 0.4 do not properly check privileges, which allows local users to load untrusted configuration files and execute arbitrary code via the GSSAPI_MECH_CONF environment variable, as demonstrated using mount.nfs."], "name": "CVE-2011-2709", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:4", "fix_state": "Will not fix", "package_name": "libgssapi", "product_name": "Red Hat Enterprise Linux 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "libgssapi", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "libgssglue", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2011-05-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2011-2709\nhttps://nvd.nist.gov/vuln/detail/CVE-2011-2709"], "statement": "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}