CVE-2012-3292

The GridFTP in Globus Toolkit (GT) before 5.2.2, when certain autoconf macros are defined, does not properly check the return value from the getpwnam_r function, which might allow remote attackers to gain privileges by logging in with a user that does not exist, which causes GridFTP to run as the last user in the password file.

CVSS v2.0 7.6 HIGH

7.6^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:H/Au:N/C:C/I:C/A:C

Exploitability : 4.9 / Impact : 10.0

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://jira.globus.org/browse/GT-195
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081787.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081791.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081797.html
http://www.debian.org/security/2012/dsa-2523

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:globus:globus_toolkit::::::::
	cpe:2.3:a:globus:globus_toolkit:2.0:::::::*
	cpe:2.3:a:globus:globus_toolkit:2.2:::::::*
	cpe:2.3:a:globus:globus_toolkit:2.4.3:::::::*
	cpe:2.3:a:globus:globus_toolkit:3.0.2:::::::*
	cpe:2.3:a:globus:globus_toolkit:3.2.1:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.0.0:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.0.1:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.0.2:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.0.3:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.0.4:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.0.5:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.0.6:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.0.7:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.0.8:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.2.0:::::::*
	cpe:2.3:a:globus:globus_toolkit:4.2.1:::::::*
	cpe:2.3:a:globus:globus_toolkit:5.0.0:::::::*
	cpe:2.3:a:globus:globus_toolkit:5.0.1:::::::*
	cpe:2.3:a:globus:globus_toolkit:5.0.2:::::::*
	cpe:2.3:a:globus:globus_toolkit:5.0.3:::::::*
	cpe:2.3:a:globus:globus_toolkit:5.0.4:::::::*
	cpe:2.3:a:globus:globus_toolkit:5.0.5:::::::*
	cpe:2.3:a:globus:globus_toolkit:5.2.0:::::::*

History

No history.

Information

Published : 2012-06-07 20:55

Updated : 2023-12-10 11:16

NVD link : CVE-2012-3292

Mitre link : CVE-2012-3292

CVE.ORG link : CVE-2012-3292

JSON object : View

Products Affected

globus

globus_toolkit

CWE

CWE-264

Permissions, Privileges, and Access Controls

7.6 /10