CVE Vulnerability

CVE-2008-3356

verifydb in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and other Unix platforms sets the ownership or permissions of an iivdb.log file without verifying that it is the application's own log file, which allows local users to overwrite arbitrary files by creating a symlink with an iivdb.log filename.

4.6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

References
Link Resource
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731
http://www.ingres.com/support/security-alert-080108.php
http://www.securityfocus.com/bid/30512
http://securitytracker.com/id?1020613
http://secunia.com/advisories/31357 Vendor Advisory
http://secunia.com/advisories/31398
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181989
http://www.vupen.com/english/advisories/2008/2313
http://www.vupen.com/english/advisories/2008/2292
https://exchange.xforce.ibmcloud.com/vulnerabilities/44177
http://www.securityfocus.com/archive/1/495177/100/0/threaded
Configurations

Configuration 1

cpe:2.3:a:ingres:ingres:2006:release_2:*:*:*:*:*:*
cpe:2.3:a:ingres:ingres:2006:release_1:*:*:*:*:*:*
cpe:2.3:a:ingres:ingres:2006:9.0.1:*:*:*:*:*:*
cpe:2.3:a:ingres:ingres:2.6:*:*:*:*:*:*:*
cpe:2.3:a:ingres:ingres:2006:9.0.4:*:*:*:*:*:*
Information

Published : 2008-08-05 07:41

Updated : 2018-10-11 08:48

NVD link : CVE-2008-3356

Mitre link : CVE-2008-3356

Products Affected
No products.
CWE
CWE-264