CVE-2014-2905 Common Vulnerabilities and Exposures

Upstream information

CVE-2014-2905 at MITRE

Description

fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly check the credentials, which allows local users to gain privileges via the universal variable socket, related to /tmp/fishd.socket.user permissions.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	6.9
Vector	AV:L/AC:M/Au:N/C:C/I:C/A:C
Access Vector	Local
Access Complexity	Medium
Authentication	None
Confidentiality Impact	Complete
Integrity Impact	Complete
Availability Impact	Complete

No SUSE Bugzilla entries cross referenced.

SUSE Security Advisories:

openSUSE-SU-2019:2177-1, published Fri Dec 8 15:48:43 2023
openSUSE-SU-2019:2188-1, published Fri Dec 8 15:48:43 2023

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 12	`fish >= 2.2.0-6.1`	Patchnames: openSUSE-2016-790
openSUSE Leap 15.0	`fish3 >= 3.0.0-lp150.3.1` `fish3-devel >= 3.0.0-lp150.3.1`	Patchnames: openSUSE-2019-2177
openSUSE Leap 15.1	`fish3 >= 3.0.0-lp151.2.1` `fish3-devel >= 3.0.0-lp151.2.1`	Patchnames: openSUSE-2019-2188
openSUSE Tumbleweed	`fish >= 2.4.0-1.1`	Patchnames: openSUSE-Tumbleweed-2024-10348

SUSE Timeline for this CVE

CVE page created: Mon Apr 28 21:16:29 2014
CVE page last modified: Sat Jun 15 22:13:50 2024