CVE-2017-9286 - The packaging of NextCloud in openSUSE used /srv/www/htdocs in an unsafe manner, which could have al

CVE-2017-9286

Summary

The packaging of NextCloud in openSUSE used /srv/www/htdocs in an unsafe manner, which could have allowed scripts running as wwwrun user to escalate privileges to root during nextcloud package upgrade.

References

https://bugzilla.suse.com/show_bug.cgi?id=1036756
https://lists.opensuse.org/opensuse-updates/2017-10/msg00010.html
https://www.suse.com/de-de/security/cve/CVE-2017-9286/

Vulnerable Configurations

cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

CVSS

Base:	9.0 (as of 09-10-2019 - 23:30)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:S/C:C/I:C/A:C

refmap via4

confirm	https://bugzilla.suse.com/show_bug.cgi?id=1036756 https://www.suse.com/de-de/security/cve/CVE-2017-9286/
suse	openSUSE-SU-2017:2641

Last major update

09-10-2019 - 23:30

Published

01-03-2018 - 20:29

Last modified

09-10-2019 - 23:30