ID CVE-2008-5188
Summary The (1) ecryptfs-setup-private, (2) ecryptfs-setup-confidential, and (3) ecryptfs-setup-pam-wrapped.sh scripts in ecryptfs-utils 45 through 61 in eCryptfs place cleartext passwords on command lines, which allows local users to obtain sensitive information by listing the process.
References
Vulnerable Configurations
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:45:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:45:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:46:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:46:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:47:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:47:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:48:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:48:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:49:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:49:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:50:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:50:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:51:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:51:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:53:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:53:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:54:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:54:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:55:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:55:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:56:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:56:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:57:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:57:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:58:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:58:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:59:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:59:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:60:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:60:*:*:*:*:*:*:*
  • cpe:2.3:a:ecryptfs:ecryptfs_utils:61:*:*:*:*:*:*:*
    cpe:2.3:a:ecryptfs:ecryptfs_utils:61:*:*:*:*:*:*:*
CVSS
Base: 7.2 (as of 29-09-2017 - 01:32)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:L/AC:L/Au:N/C:C/I:C/A:C
oval via4
accepted 2013-04-29T04:20:38.255-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The (1) ecryptfs-setup-private, (2) ecryptfs-setup-confidential, and (3) ecryptfs-setup-pam-wrapped.sh scripts in ecryptfs-utils 45 through 61 in eCryptfs place cleartext passwords on command lines, which allows local users to obtain sensitive information by listing the process.
family unix
id oval:org.mitre.oval:def:9607
status accepted
submitted 2010-07-09T03:56:16-04:00
title The (1) ecryptfs-setup-private, (2) ecryptfs-setup-confidential, and (3) ecryptfs-setup-pam-wrapped.sh scripts in ecryptfs-utils 45 through 61 in eCryptfs place cleartext passwords on command lines, which allows local users to obtain sensitive information by listing the process.
version 18
redhat via4
advisories
bugzilla
id 472524
title CVE-2008-5188 ecryptfs-utils: potential provided password disclosure in the process table
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • comment ecryptfs-utils is earlier than 0:75-5.el5
          oval oval:com.redhat.rhsa:tst:20091307001
        • comment ecryptfs-utils is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091307002
      • AND
        • comment ecryptfs-utils-devel is earlier than 0:75-5.el5
          oval oval:com.redhat.rhsa:tst:20091307003
        • comment ecryptfs-utils-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091307004
      • AND
        • comment ecryptfs-utils-gui is earlier than 0:75-5.el5
          oval oval:com.redhat.rhsa:tst:20091307005
        • comment ecryptfs-utils-gui is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091307006
rhsa
id RHSA-2009:1307
released 2009-09-02
severity Low
title RHSA-2009:1307: ecryptfs-utils security, bug fix, and enhancement update (Low)
rpms
  • ecryptfs-utils-0:75-5.el5
  • ecryptfs-utils-debuginfo-0:75-5.el5
  • ecryptfs-utils-devel-0:75-5.el5
  • ecryptfs-utils-gui-0:75-5.el5
refmap via4
confirm
mlist
  • [oss-security] 20081023 CVE request for ecryptfs
  • [oss-security] 20081029 Re: CVE request for ecryptfs
osvdb
  • 49334
  • 50353
  • 50354
  • 50355
secunia
  • 32382
  • 36552
xf ecryptfsutils-setupprivate-info-disclosure(46073)
Last major update 29-09-2017 - 01:32
Published 21-11-2008 - 02:30
Last modified 29-09-2017 - 01:32
Back to Top