1. Home
  2. CVE Database
  3. CVE-2017-6964
HIGH · 7.8

CVE-2017-6964

dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute code...

Vulnerability Description

dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute code, which was intended to run as an unprivileged user, as root. This affects eject through 2.1.5+deb1+cvs20081104-13.1 on Debian, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 LTS, and eject before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 LTS.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
CanonicalUbuntu Linux12.04
DebianDebian Linux8.0

Related Weaknesses (CWE)

CWE-252

References

FAQ

What is CVE-2017-6964?

CVE-2017-6964 is a vulnerability with a CVSS score of 7.8 (HIGH). dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute code...

How severe is CVE-2017-6964?

CVE-2017-6964 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-6964?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Debian Debian Linux.