Vulnerability Details : CVE-2010-2946
fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an "os2." substring at the beginning of a name.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2010-2946
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 8 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-2946
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2010-2946
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-2946
-
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html
[security-announce] SUSE Security Announcement: Linux kernel (SUSE-SA:20Mailing List;Third Party Advisory
-
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.51
404: File not foundVendor Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2011:051
mandriva.comThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00002.html
[security-announce] SUSE Security Announcement: Linux kernel (SUSE-SA:20Mailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-1000-1
USN-1000-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html
[security-announce] SUSE Security Announcement: Linux kernel (SUSE-SA:20Mailing List;Third Party Advisory
-
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=aca0fa34bdaba39bfddddba8ca70dba4782e8fe6
-
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35.2
404: File not foundVendor Advisory
-
http://www.openwall.com/lists/oss-security/2010/08/20/1
oss-security - CVE request - kernel: jfs: don't allow os2 xattr namespace overlap with othersMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
[security-announce] SUSE Security Announcement: Realtime Linux Kernel (SMailing List;Third Party Advisory
-
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.10
404: File not foundVendor Advisory
-
http://www.openwall.com/lists/oss-security/2010/08/20/11
oss-security - Re: CVE request - kernel: jfs: don't allow os2 xattr namespace overlap with othersMailing List;Third Party Advisory
-
http://www.vupen.com/english/advisories/2011/0375
Webmail | OVH- OVHThird Party Advisory
-
http://www.vupen.com/english/advisories/2011/0298
Webmail | OVH- OVHThird Party Advisory
-
http://www.securityfocus.com/bid/42589
Linux Kernel JFS xattr Namespace Rules Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html
[security-announce] SUSE Security Announcement: Linux kernel (SUSE-SA:20Mailing List;Third Party Advisory
Products affected by CVE-2010-2946
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.10:*:*:*:*:*:*:*