Your submission was sent successfully! Close

CVE-2018-10906

Published: 24 July 2018

In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects.

Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
fuse
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(2.9.9-3)
groovy Not vulnerable
(2.9.9-3)
hirsute Not vulnerable
(2.9.9-4ubuntu2)
impish Not vulnerable
(2.9.9-5ubuntu1)
jammy Not vulnerable
(2.9.9-5ubuntu1)
precise Ignored
(end of ESM support, was needs-triage)
trusty Needs triage

upstream
Released (2.9.8)
xenial
Released (2.9.4-1ubuntu3.1+esm1)
fuse3
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(3.9.0-2)
groovy Not vulnerable
(3.9.3-1)
hirsute Not vulnerable
(3.10.2-2build1)
impish Not vulnerable
(3.10.3-1)
jammy Not vulnerable
(3.10.3-1)
precise Does not exist

trusty Does not exist

upstream
Released (3.2.5)
xenial Does not exist