Security Issue in FOG Installation Allows Modifying Files Outside of Exports
CVE-2024-39916

6.4MEDIUM

Key Information:

Vendor: Fogproject
Status: Fogproject
Vendor: CVE Published:; 12 July 2024

What is CVE-2024-39916?

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. There is a security issue with the NFS configuration in /etc/exports generated by the installer that allows an attacker to modify files outside the export in the default installation. The exports have the no_subtree_check option. The no_subtree_check option means that if a client performs a file operation, the server will only check if the requested file is on the correct filesystem, not if it is in the correct directory. This enables modifying files in /images, accessing other files on the same filesystem, and accessing files on other filesystems. This vulnerability is fixed in 1.5.10.30.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

fogproject < 1.5.10.30

References

https://github.com/FOGProject/fogproject/security/advisor...

x_refsource_CONFIRM

https://github.com/FOGProject/fogproject/commit/2de209bc5...

x_refsource_MISC

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 12, 2024
Vulnerability Reserved
Jul 2, 2024

JSON

Fogproject