suse · CVE-2018-19044

Quick triage

Priority: high Published: 2021-05-30 14:18:26 UTC Updated: 2025-08-14 02:24:10 UTC

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2018-19044 severity important: SUSE including 12 source package names (2.0.19.2.2.10:keepalived-2.0.19-3.3.1, keepalived-1.3.5-16.el7, …), 14 product×package rows across 14 product lines (Container ses/7.1/ceph/keepalived, SUSE Liberty Linux 7, … (14 product lines)): Fixed 14.

Description:

keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.

cvelogic Threat Intelligence