CVE-2008-2931 — HIGH (7.8) — White Hats Nepal

Q: How severe is CVE-2008-2931?

CVE-2008-2931 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2008-2931?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux, Novell Suse Linux Enterprise Desktop, Novell Suse Linux Enterprise Server, Opensuse Opensuse.

Vulnerability Description

The do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	< 2.6.22
Debian	Debian Linux	4.0
Novell	Suse Linux Enterprise Desktop	10.0
Novell	Suse Linux Enterprise Server	10.0
Opensuse	Opensuse	>= 10.3, <= 11.0
Canonical	Ubuntu Linux	6.06

Related Weaknesses (CWE)

CWE-269

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commitdiff%
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22Broken Link
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00007.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00012.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00003.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.htmlMailing ListThird Party Advisory
http://secunia.com/advisories/30982Broken Link
http://secunia.com/advisories/31551Broken Link
http://secunia.com/advisories/31614Broken Link
http://secunia.com/advisories/32023Broken Link
http://secunia.com/advisories/32759Broken Link
http://www.debian.org/security/2008/dsa-1630PatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2008/07/08/3Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2008/07/08/4Mailing ListThird Party Advisory
http://www.redhat.com/support/errata/RHSA-2008-0885.htmlBroken Link

FAQ

What is CVE-2008-2931?

CVE-2008-2931 is a vulnerability with a CVSS score of 7.8 (HIGH). The do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a...

How severe is CVE-2008-2931?

CVE-2008-2931 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2008-2931?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux, Novell Suse Linux Enterprise Desktop, Novell Suse Linux Enterprise Server, Opensuse Opensuse.