Vulnerability Description
The pam_fscrypt module in fscrypt before 0.2.4 may incorrectly restore primary and supplementary group IDs to the values associated with the root user, which allows attackers to gain privileges via a successful login through certain applications that use Linux-PAM (aka pam).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fscrypt | < 0.2.4 |
References
- https://github.com/google/fscrypt/commit/3022c1603d968c22f147b4a2c49c4637dd1be91PatchThird Party Advisory
- https://github.com/google/fscrypt/commit/315f9b042237200174a1fb99427f74027e191d6PatchThird Party Advisory
- https://github.com/google/fscrypt/issues/77Issue TrackingThird Party Advisory
- https://launchpad.net/bugs/1787548Issue TrackingPatchThird Party Advisory
- https://github.com/google/fscrypt/commit/3022c1603d968c22f147b4a2c49c4637dd1be91PatchThird Party Advisory
- https://github.com/google/fscrypt/commit/315f9b042237200174a1fb99427f74027e191d6PatchThird Party Advisory
- https://github.com/google/fscrypt/issues/77Issue TrackingThird Party Advisory
- https://launchpad.net/bugs/1787548Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2018-6558?
CVE-2018-6558 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The pam_fscrypt module in fscrypt before 0.2.4 may incorrectly restore primary and supplementary group IDs to the values associated with the root user, which allows attackers to gain privileges via a ...
How severe is CVE-2018-6558?
CVE-2018-6558 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-6558?
Check the references section above for vendor advisories and patch information. Affected products include: Google Fscrypt.