CVE-2010-0789

fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local users to unmount an arbitrary FUSE filesystem share via a symlink attack on a mountpoint.

CVSS v2.0 3.3 LOW

3.3^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:M/Au:N/C:N/I:P/A:P

Exploitability : 3.4 / Impact : 4.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567633
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034518.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034580.html
http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
http://secunia.com/advisories/38261	Vendor Advisory
http://secunia.com/advisories/38287	Vendor Advisory
http://secunia.com/advisories/38359	Vendor Advisory
http://secunia.com/advisories/38437	Vendor Advisory
http://sourceforge.net/projects/fuse/files/ReleaseNotes/fuse-2.8.3.html/view
http://sourceforge.net/projects/fuse/files/fuse-2.X/2.7.5/fuse-2.7.5.tar.gz/download	Patch
http://www.debian.org/security/2010/dsa-1989	Patch
http://www.securityfocus.com/bid/37983	Patch
http://www.ubuntu.com/usn/USN-892-1
http://www.vupen.com/english/advisories/2010/1107
https://bugzilla.redhat.com/show_bug.cgi?id=532940	Patch
https://bugzilla.redhat.com/show_bug.cgi?id=558833
https://exchange.xforce.ibmcloud.com/vulnerabilities/55945
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567633
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034518.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034580.html
http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
http://secunia.com/advisories/38261	Vendor Advisory
http://secunia.com/advisories/38287	Vendor Advisory
http://secunia.com/advisories/38359	Vendor Advisory
http://secunia.com/advisories/38437	Vendor Advisory
http://sourceforge.net/projects/fuse/files/ReleaseNotes/fuse-2.8.3.html/view
http://sourceforge.net/projects/fuse/files/fuse-2.X/2.7.5/fuse-2.7.5.tar.gz/download	Patch
http://www.debian.org/security/2010/dsa-1989	Patch
http://www.securityfocus.com/bid/37983	Patch
http://www.ubuntu.com/usn/USN-892-1
http://www.vupen.com/english/advisories/2010/1107
https://bugzilla.redhat.com/show_bug.cgi?id=532940	Patch
https://bugzilla.redhat.com/show_bug.cgi?id=558833
https://exchange.xforce.ibmcloud.com/vulnerabilities/55945

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fuse:fuse:1.9:::::::*
	cpe:2.3:a:fuse:fuse:2.0:pre0::::::
	cpe:2.3:a:fuse:fuse:2.0:pre1::::::
	cpe:2.3:a:fuse:fuse:2.1:::::::*
	cpe:2.3:a:fuse:fuse:2.2:::::::*
	cpe:2.3:a:fuse:fuse:2.2.1:::::::*
	cpe:2.3:a:fuse:fuse:2.3:pre::::::
	cpe:2.3:a:fuse:fuse:2.3:rc1::::::
	cpe:2.3:a:fuse:fuse:2.3.0:::::::*
	cpe:2.3:a:fuse:fuse:2.4.0:::::::*
	cpe:2.3:a:fuse:fuse:2.4.1:::::::*
	cpe:2.3:a:fuse:fuse:2.4.2:::::::*
	cpe:2.3:a:fuse:fuse:2.5.0:::::::*
	cpe:2.3:a:fuse:fuse:2.5.1:::::::*
	cpe:2.3:a:fuse:fuse:2.5.2:::::::*
	cpe:2.3:a:fuse:fuse:2.5.3:::::::*
	cpe:2.3:a:fuse:fuse:2.6.0:::::::*
	cpe:2.3:a:fuse:fuse:2.6.1:::::::*
	cpe:2.3:a:fuse:fuse:2.6.3:::::::*
	cpe:2.3:a:fuse:fuse:2.6.5:::::::*
	cpe:2.3:a:fuse:fuse:2.7.0:::::::*
	cpe:2.3:a:fuse:fuse:2.7.1:::::::*
	cpe:2.3:a:fuse:fuse:2.7.2:::::::*
	cpe:2.3:a:fuse:fuse:2.7.3:::::::*
	cpe:2.3:a:fuse:fuse:2.7.4:::::::*

History

21 Nov 2024, 01:12

Information

Published : 2010-03-02 18:30

Updated : 2025-04-11 00:51

NVD link : CVE-2010-0789

Mitre link : CVE-2010-0789

CVE.ORG link : CVE-2010-0789

JSON object : View

Products Affected

fuse

fuse

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

{"id": "CVE-2010-0789", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2010-03-02T18:30:01.117", "references": [{"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567633", "source": "cve@mitre.org"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034518.html", "source": "cve@mitre.org"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034580.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/38261", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/38287", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/38359", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/38437", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://sourceforge.net/projects/fuse/files/ReleaseNotes/fuse-2.8.3.html/view", "source": "cve@mitre.org"}, {"url": "http://sourceforge.net/projects/fuse/files/fuse-2.X/2.7.5/fuse-2.7.5.tar.gz/download", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2010/dsa-1989", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/37983", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.ubuntu.com/usn/USN-892-1", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2010/1107", "source": "cve@mitre.org"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=532940", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=558833", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55945", "source": "cve@mitre.org"}, {"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567633", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034518.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034580.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/38261", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/38287", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/38359", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/38437", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://sourceforge.net/projects/fuse/files/ReleaseNotes/fuse-2.8.3.html/view", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://sourceforge.net/projects/fuse/files/fuse-2.X/2.7.5/fuse-2.7.5.tar.gz/download", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.debian.org/security/2010/dsa-1989", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/37983", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.ubuntu.com/usn/USN-892-1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.vupen.com/english/advisories/2010/1107", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=532940", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=558833", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55945", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local users to unmount an arbitrary FUSE filesystem share via a symlink attack on a mountpoint."}, {"lang": "es", "value": "fusermount en FUSE anteriores a v2.7.5, y v2.8.x anteriores a v2.8.2, permite a usuarios locales desmontar sistemas de ficheros compartidos FUSE arbitrarios a trav\u00e9s de un ataque de enlace simb\u00f3lico en un punto de montaje."}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fuse:fuse:1.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55969766-1B53-4987-BED1-69210D870159"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.0:pre0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "975404B1-A1D7-498E-BCAF-27F6F0C6D6DB"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.0:pre1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725C66E7-CDE5-447F-A718-1F8E09DBD03B"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D694A371-E110-404C-8A8B-E162BE7CC420"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "57EA26ED-6A5B-46FD-B776-56164C2CA2A7"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4070A046-AFAF-47E7-8143-950E7113F7D9"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.3:pre:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F58FB896-AC2F-44F6-B225-6B1E8B5D5AAA"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.3:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "046B9EE6-597B-4668-A7E3-3B2E19F2F1F2"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F6E73A6-7598-43D0-85B6-36854D241753"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C84298D-29DA-4E25-872C-C01123DC264B"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79145A4A-180B-4A01-9B27-FF41C80C8A2E"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8FB5A17-317D-4FCD-9135-7B6FBFF43122"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86127064-585A-491A-9C02-3868293287E9"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9AFE150-9202-478D-B9A5-A06631A7F654"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.5.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A203B9AA-AC5A-4F97-8B22-FD4CE9A5E9E6"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.5.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D88FC4B0-D669-4B8C-9F0E-8B40FD269707"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C58DA611-5C3C-48B5-9A97-AF61E79C2A11"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "745A4F8C-CB3C-40CF-9358-89403CDAC064"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.6.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA50E0DD-E42D-4A6B-A2D1-5EB5E032A3D5"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.6.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "166EEDD0-41AC-48F6-BB41-2199E07D70C5"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55B8E8CD-A4C9-4542-BA8E-6A59352225F4"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3168CEE0-DCB6-48DC-B1A1-A7A24E0D4455"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "553EBB29-A227-428F-A752-BDFB100C954D"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.7.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55859957-F60A-452F-B41F-1C08ABA073A0"}, {"criteria": "cpe:2.3:a:fuse:fuse:2.7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E20A7A1-54C5-427C-8232-E4E8CCB16AC4"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Red Hat is aware of this issue and is tracking it via the following bug: \nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2010-0789\n\nThis issue affects Red Hat Enterprise Linux 5 because it ships fusermount suid root, however the impact of this flaw is minimized due to the fact that only members in group fuse may use it the executable is owned root:fuse and mode 4750.\n\nRed Hat Enterprise Linux 3 and 4 do not provide the fuse package.\n\nThe Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:\n\nhttp://www.redhat.com/security/updates/classification/", "lastModified": "2010-04-07T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "cve@mitre.org"}

3.3 /10