Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-45473: world-readable logfile #241

Closed
asarubbo opened this issue Nov 18, 2022 · 4 comments
Closed

CVE-2022-45473: world-readable logfile #241

asarubbo opened this issue Nov 18, 2022 · 4 comments

Comments

@asarubbo
Copy link

Hello,

when drachtio-server starts, creates /var/log/drachtio with mode 777

This leads to a disclosure because a local user can retrieve sensitive data (like IP and so on).

Here is the details:

drachtio1 ~ # systemctl stop drachtio
drachtio1 ~ # rm -fr /var/log/drachtio
drachtio1 ~ # systemctl start drachtio
drachtio1 ~ # ls -la /var/log/drachtio/
total 12
drwxrwxrwx  3 root root 4096 Nov 18 16:01 .
drwxr-xr-x 15 root root 4096 Nov 18 16:01 ..
drwxrwxrwx  2 root root 4096 Nov 18 16:01 archive
-rw-rw-rw-  1 root root    0 Nov 18 16:01 drachtio.log

To fix this issue, /var/log/drachtio should be created with mode 770

@davehorton
Copy link
Collaborator

fixed in v0.8.19-rc12

@asarubbo asarubbo changed the title world-readable logfile CVE-2022-45473: world-readable logfile Nov 25, 2022
@asarubbo
Copy link
Author

CVE-2022-45473 as been assigned to this issue.

@davehorton
Copy link
Collaborator

could you please update the various entries you made out in the world to indicate this is fixed

@asarubbo
Copy link
Author

I don't know what stays for "entries you made out in the world"

The CVE was requested when the issue was unfixed. When it was fixed I sent an update, but the update on nvd.nist.gov does not depend on me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants