cnvd-2016-11746
Vulnerability from cnvd

Title: LXC目录遍历漏洞

Description:

LXC是Linux内核容器功能的一个用户空间接口,它通过强大的API和简单的工具,使Linux用户易于创建和管理系统或应用容器。

LXC存在目录遍历漏洞。由于程序未能充分用户提供的输入。攻击者可以利用漏洞使用目录遍历字符('../')访问或读取包含敏感信息的任意文件或访问受限目录外的文件以获取敏感信息并执行其他攻击。

Severity:

Patch Name: LXC目录遍历漏洞的补丁

Patch Description:

LXC是Linux内核容器功能的一个用户空间接口,它通过强大的API和简单的工具,使Linux用户易于创建和管理系统或应用容器。

LXC存在目录遍历漏洞。由于程序未能充分用户提供的输入。攻击者可以利用漏洞使用目录遍历字符('../')访问或读取包含敏感信息的任意文件或访问受限目录外的文件以获取敏感信息并执行其他攻击。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。

Formal description:

用户可联系供应商获得补丁信息: https://linuxcontainers.org/

Reference: http://www.securityfocus.com/bid/94498

Impacted products
Name
['LXC LXC 2.0.5', 'LXC LXC 2.0.4', 'LXC LXC 2.0.3', 'LXC LXC 2.0.2', 'LXC LXC 2.0.1', 'LXC LXC 2.0', 'LXC LXC 1.0.8', 'LXC LXC 1.0.7', 'LXC LXC 1.0.6', 'LXC LXC 1.0.5', 'LXC LXC 1.0.4', 'LXC LXC 1.0.3', 'LXC LXC 1.0.2', 'LXC LXC 1.0.1', 'LXC LXC 1.0.0']
Show details on source website

To clipboard 

{
  "bids": {
    "bid": {
      "bidNumber": "94498"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-8649"
    }
  },
  "description": "LXC\u662fLinux\u5185\u6838\u5bb9\u5668\u529f\u80fd\u7684\u4e00\u4e2a\u7528\u6237\u7a7a\u95f4\u63a5\u53e3\uff0c\u5b83\u901a\u8fc7\u5f3a\u5927\u7684API\u548c\u7b80\u5355\u7684\u5de5\u5177\uff0c\u4f7fLinux\u7528\u6237\u6613\u4e8e\u521b\u5efa\u548c\u7ba1\u7406\u7cfb\u7edf\u6216\u5e94\u7528\u5bb9\u5668\u3002 \r\n\r\nLXC\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u7531\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4f7f\u7528\u76ee\u5f55\u904d\u5386\u5b57\u7b26\uff08\u0027../\u0027\uff09\u8bbf\u95ee\u6216\u8bfb\u53d6\u5305\u542b\u654f\u611f\u4fe1\u606f\u7684\u4efb\u610f\u6587\u4ef6\u6216\u8bbf\u95ee\u53d7\u9650\u76ee\u5f55\u5916\u7684\u6587\u4ef6\u4ee5\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u5e76\u6267\u884c\u5176\u4ed6\u653b\u51fb\u3002",
  "discovererName": "Roman Fiedler from AIT",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://linuxcontainers.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-11746",
  "openTime": "2016-12-02",
  "patchDescription": "LXC\u662fLinux\u5185\u6838\u5bb9\u5668\u529f\u80fd\u7684\u4e00\u4e2a\u7528\u6237\u7a7a\u95f4\u63a5\u53e3\uff0c\u5b83\u901a\u8fc7\u5f3a\u5927\u7684API\u548c\u7b80\u5355\u7684\u5de5\u5177\uff0c\u4f7fLinux\u7528\u6237\u6613\u4e8e\u521b\u5efa\u548c\u7ba1\u7406\u7cfb\u7edf\u6216\u5e94\u7528\u5bb9\u5668\u3002 \r\n\r\nLXC\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u7531\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4f7f\u7528\u76ee\u5f55\u904d\u5386\u5b57\u7b26\uff08\u0027../\u0027\uff09\u8bbf\u95ee\u6216\u8bfb\u53d6\u5305\u542b\u654f\u611f\u4fe1\u606f\u7684\u4efb\u610f\u6587\u4ef6\u6216\u8bbf\u95ee\u53d7\u9650\u76ee\u5f55\u5916\u7684\u6587\u4ef6\u4ee5\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u5e76\u6267\u884c\u5176\u4ed6\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "LXC\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "LXC LXC 2.0.5",
      "LXC LXC  2.0.4",
      "LXC LXC  2.0.3",
      "LXC LXC  2.0.2",
      "LXC LXC  2.0.1",
      "LXC LXC  2.0",
      "LXC LXC  1.0.8",
      "LXC LXC  1.0.7",
      "LXC LXC  1.0.6",
      "LXC LXC  1.0.5",
      "LXC LXC  1.0.4",
      "LXC LXC  1.0.3",
      "LXC LXC  1.0.2",
      "LXC LXC  1.0.1",
      "LXC LXC  1.0.0"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/94498",
  "serverity": "\u4e2d",
  "submitTime": "2016-11-29",
  "title": "LXC\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.