Command Injection Vulnerability in Logrotate by Red Hat
CVE-2011-1154

Currently unrated

Key Information:

Vendor: Gentoo
Status: Logrotate
Vendor: CVE Published:; 30 March 2011

What is CVE-2011-1154?

The Logrotate application, specifically the shred_file function in logrotate.c, is vulnerable to command injection due to improper handling of log filenames. Attackers can exploit this vulnerability by using shell metacharacters in log filenames, which may be dynamically constructed from hostnames or virtual machine names. This weakness allows attackers to execute arbitrary commands, posing a significant risk to system integrity and security.

References

http://openwall.com/lists/oss-security/2011/03/04/19

mailing-listx_refsource_MLIST

http://openwall.com/lists/oss-security/2011/03/04/16

mailing-listx_refsource_MLIST

http://openwall.com/lists/oss-security/2011/03/04/25

mailing-listx_refsource_MLIST

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2011
Vulnerability Reserved
Mar 3, 2011

Gentoo

What is CVE-2011-1154?

References

Timeline