Vulnerability Details : CVE-2006-7098
The Debian GNU/Linux 033_-F_NO_SETSID patch for the Apache HTTP Server 1.3.34-4 does not properly disassociate httpd from a controlling tty when httpd is started interactively, which allows local users to gain privileges to that tty via a CGI program that calls the TIOCSTI ioctl.
Exploit prediction scoring system (EPSS) score for CVE-2006-7098
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ % EPSS Score History EPSS FAQ
CVSS scores for CVE-2006-7098
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.6
|
MEDIUM | AV:L/AC:M/Au:S/C:C/I:C/A:C |
2.7
|
10.0
|
NIST |
CWE ids for CVE-2006-7098
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2006-7098
-
Red Hat 2007-03-05Not vulnerable. This issue was specific to a Debian patch to Apache HTTP Server.
-
Apache 2008-07-02This issue did not affect the upstream Apache HTTP Server versions.
- cpe:2.3:a:debian:apache:1.3.34.4:*:*:*:*:*:*:*