Environment Variable Vulnerability in FreeBSD and Other BSD Distributions
CVE-2006-6165

7.8HIGH

Key Information:

Vendor: Netbsd
Status: Netbsd; FreeBSD
Vendor: CVE Published:; 29 November 2006

What is CVE-2006-6165?

The ld.so dynamic linker in FreeBSD, NetBSD, and potentially other BSD operating systems fails to appropriately clear out harmful environment variables. This oversight can allow malicious local users to elevate their privileges by injecting specific environment variables into processes during execution. Although a third party has contended that it is the application's responsibility to adequately handle these environment variables, the vulnerability presents significant security risks and highlights the necessity for better environment sanitization practices in operating system components.

References

http://www.securityfocus.com/archive/1/452428/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://www.securityfocus.com/archive/1/452371/100/0/threaded

mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2006
Vulnerability Reserved
Nov 28, 2006

CVE-2006-6165 Data

JSON

Netbsd

What is CVE-2006-6165?

References

CVSS V3.1

Timeline