Vulnerability Description
verifydb in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and other Unix platforms sets the ownership or permissions of an iivdb.log file without verifying that it is the application's own log file, which allows local users to overwrite arbitrary files by creating a symlink with an iivdb.log filename.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ingres | Ingres | 2.6 |
Related Weaknesses (CWE)
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731
- http://secunia.com/advisories/31357Vendor Advisory
- http://secunia.com/advisories/31398
- http://securitytracker.com/id?1020613
- http://www.ingres.com/support/security-alert-080108.php
- http://www.securityfocus.com/archive/1/495177/100/0/threaded
- http://www.securityfocus.com/bid/30512
- http://www.vupen.com/english/advisories/2008/2292
- http://www.vupen.com/english/advisories/2008/2313
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44177
- https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181989
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731
- http://secunia.com/advisories/31357Vendor Advisory
- http://secunia.com/advisories/31398
- http://securitytracker.com/id?1020613
FAQ
What is CVE-2008-3356?
CVE-2008-3356 is a vulnerability with a CVSS score of 4.6 (MEDIUM). verifydb in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and other Unix platforms sets the ownership or permissions of an iivdb.log file without verify...
How severe is CVE-2008-3356?
CVE-2008-3356 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-3356?
Check the references section above for vendor advisories and patch information. Affected products include: Ingres Ingres.