CVE-2021-4037

Updated: 2023-11-04 20:45:12.609672

Description:

A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 7.8

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU kernel 5.14.0 7.8 HIGH Already Fixed 2024-05-31 10:03:27
AlmaLinux 9.2 FIPS kernel 5.14.0 7.8 HIGH Already Fixed 2024-05-31 10:03:27
CentOS 6 ELS kernel 2.6.32 7.8 HIGH Released CLSA-2024:1709204660 2024-03-12 10:04:40
CentOS 7 ELS kernel 3.10.0 7.8 HIGH Not Vulnerable 2023-11-02 14:11:54
CentOS 8.4 ELS kernel 4.18.0 7.8 HIGH Released CLSA-2023:1690287378 2023-07-25 09:19:22
CentOS 8.5 ELS kernel 4.18.0 7.8 HIGH Released CLSA-2023:1690294029 2023-07-25 11:15:10
CentOS Stream 8 ELS kernel 4.18.0 7.8 HIGH Already Fixed 2024-06-09 11:20:37
CloudLinux 6 ELS kernel 2.6.32 7.8 HIGH Needs Triage 2022-08-29 23:52:04
Oracle Linux 6 ELS kernel 2.6.32 7.8 HIGH Released CLSA-2024:1709203226 2024-02-29 08:56:25
Ubuntu 16.04 ELS linux 4.4.0 7.8 HIGH Released CLSA-2022:1667414297 2022-11-02 17:03:45
Total: 12