CVE-2014-8476

FreeBSD 8.4-10.1-RC4 - Unauthorized Sensitive Information Exposure via setlogin Buffer

Title source: llm
STIX 2.1

Description

The setlogin function in FreeBSD 8.4 through 10.1-RC4 does not initialize the buffer used to store the login name, which allows local users to obtain sensitive information from kernel memory via a call to getlogin, which returns the entire buffer.

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-3070
Vendor Advisory vendor-advisory x_refsource_freebsd
https://www.freebsd.org/security/advisories/FreeBSD-SA-14%3A25.setlogin.asc
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62218
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61118

Scores

EPSS 0.0007
EPSS Percentile 21.0%

Details

CWE
CWE-200
Status published
Products (7)
freebsd/freebsd 8.4
freebsd/freebsd 9.0 (3 CPE variants)
freebsd/freebsd 9.1
freebsd/freebsd 9.2
freebsd/freebsd 9.3
freebsd/freebsd 10.0
freebsd/freebsd 10.1 (5 CPE variants)
Published Nov 13, 2014
Tracked Since Feb 18, 2026