CVE-2014-3986

Published: Jun 8, 2014Modified: May 6, 2026

3.3

Vector

AV:L/AC:M/Au:N/C:N/I:P/A:P

Exploitability: 3.4 / Impact: 4.9

Source: NVD

Description

include/tests_webservers in Lynis before 1.5.5 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/lynis.*.unsorted file with an easily determined name.

Affected (5)

Products: Cisofy: Lynis

Cisofy

1 product

Lynis

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Cisofy Lynis	Up to 1.5.4
Cisofy Lynis	Version 1.5.0
Cisofy Lynis	Version 1.5.1
Cisofy Lynis	Version 1.5.2
Cisofy Lynis	Version 1.5.3

Related CWEs

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (10)

http://cisofy.com/files/lynis-1.5.5.tar.gz

Source: cve@mitre.org

http://openwall.com/lists/oss-security/2014/06/05/14

Source: cve@mitre.org

http://openwall.com/lists/oss-security/2014/06/06/12

Source: cve@mitre.org

http://openwall.com/lists/oss-security/2014/06/07/3

Source: cve@mitre.org

http://seclists.org/fulldisclosure/2014/Jun/21

Source: cve@mitre.org

http://cisofy.com/files/lynis-1.5.5.tar.gz