Vulnerability Description
The hesiod_init function in lib/hesiod.c in Hesiod 3.2.1 compares EUID with UID to determine whether to use configurations from environment variables, which allows local users to gain privileges via the (1) HESIOD_CONFIG or (2) HES_DOMAIN environment variable and leveraging certain SUID/SGUID binary.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hesiod Project | Hesiod | 3.2.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2017/01/21/1PatchThird Party Advisory
- http://www.securityfocus.com/bid/90952
- https://bugzilla.redhat.com/show_bug.cgi?id=1332508Issue Tracking
- https://github.com/achernya/hesiod/pull/9Issue TrackingPatchThird Party Advisory
- https://security.gentoo.org/glsa/201805-01
- http://www.openwall.com/lists/oss-security/2017/01/21/1PatchThird Party Advisory
- http://www.securityfocus.com/bid/90952
- https://bugzilla.redhat.com/show_bug.cgi?id=1332508Issue Tracking
- https://github.com/achernya/hesiod/pull/9Issue TrackingPatchThird Party Advisory
- https://security.gentoo.org/glsa/201805-01
FAQ
What is CVE-2016-10151?
CVE-2016-10151 is a vulnerability with a CVSS score of 7.0 (HIGH). The hesiod_init function in lib/hesiod.c in Hesiod 3.2.1 compares EUID with UID to determine whether to use configurations from environment variables, which allows local users to gain privileges via t...
How severe is CVE-2016-10151?
CVE-2016-10151 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10151?
Check the references section above for vendor advisories and patch information. Affected products include: Hesiod Project Hesiod.