CVE-2018-10906 — MEDIUM (5.3)

Q: How severe is CVE-2018-10906?

CVE-2018-10906 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-10906?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fuse Project Fuse, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation.

Vulnerability Description

In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	8.0
Fuse Project	Fuse	< 2.9.8
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-269 CWE-285

References

https://access.redhat.com/errata/RHSA-2018:3324Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10906Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00015.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.debian.org/security/2018/dsa-4257Third Party Advisory
https://www.exploit-db.com/exploits/45106/ExploitThird Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:3324Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10906Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00015.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.debian.org/security/2018/dsa-4257Third Party Advisory

FAQ

What is CVE-2018-10906?

CVE-2018-10906 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_othe...

How severe is CVE-2018-10906?

CVE-2018-10906 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-10906?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fuse Project Fuse, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation.