CVE-2013-0337

Published: 27 October 2013

The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.

Priority

Low

Status

Package Release Status
nginx
Launchpad, Ubuntu, Debian
Upstream
Released (1.6.2-5, 1.4.4-2)
Ubuntu 18.04 LTS (Bionic Beaver) Ignored

Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

Notes

AuthorNote
mdeslaur
The fix for CVE-2016-1247 in USN-3114-1 technically
re-introduced this issue, but only for environments that
configure non-default log filenames.
Upstream will not be fixing the default permissions on log
files.
Marking this CVE as ignored, since the default configuration is
not vulnerable and we will not be fixing this any further.

References

Bugs