CVE-2017-1000215
critical
CVSS v3
9.8
CVSS v2
10.0
VIR risk
9.8
Description
ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticated shell command injection resulting in remote code execution
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-1000215
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-1000215.html
Vendor advisory: cve@mitre.org — https://github.com/xrootd/xrootd/commit/befa2e627a5a33a38c92db3e57c07d8246a24acf
Vendor advisory: cve@mitre.org — https://github.com/xrootd/xrootd/blob/v4.6.1/docs/ReleaseNotes.txt
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| xrootd | xrootd | {"endIncluding":"4.6.0"} | |
References
- https://github.com/xrootd/xrootd/blob/befa2e627a5a33a38c92db3e57c07d8246a24acf/src/XrdSecgsi/XrdSecgsiGMAPFunLDAP.cc#L85
- https://github.com/xrootd/xrootd/blob/v4.6.1/docs/ReleaseNotes.txt
- https://github.com/xrootd/xrootd/commit/befa2e627a5a33a38c92db3e57c07d8246a24acf
- https://security.gentoo.org/glsa/201903-11
- https://www.suse.com/security/cve/CVE-2017-1000215.html
- https://security-tracker.debian.org/tracker/CVE-2017-1000215
CWEs
CWE-78
Verify integrity in audit chain (admin only). AS-IS.