Access Restriction Bypass Affecting bareos/bareos package, versions [,16.2.7)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-BAREOSBAREOS-2365194
  • published26 Jan 2022
  • disclosed20 Sept 2017
  • creditUnknown

Introduced: 20 Sep 2017

CVE-2017-14610  (opens in a new tab)
CWE-264  (opens in a new tab)

How to fix?

Upgrade bareos/bareos to version 16.2.7 or higher.

Overview

Affected versions of this package are vulnerable to Access Restriction Bypass bareos-dir, bareos-fd, and bareos-sd in bareos-core in Bareos 16.2.6 and earlier create a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command.

References

CVSS Scores

version 3.1