Home > Vulnerability Database > CVE-2022-41974

Mend.io Vulnerability Database

CVE-2022-41974

Good to know:

Date: October 29, 2022

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

Language: C

Severity Score

8.2

Related Resources (19)

Url: http://www.openwall.com/lists/oss-security/2022/10/24/2

Url: http://www.openwall.com/lists/oss-security/2022/11/30/2

Url: https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt

Url: https://bugzilla.suse.com/show_bug.cgi?id=1202739

Url: https://access.redhat.com/security/cve/CVE-2022-41974

Url: https://lists.debian.org/debian-lts-announce/2022/12/msg00037.html

Url: https://www.debian.org/security/2023/dsa-5366

Url: http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html

Url: https://security.gentoo.org/glsa/202311-06

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-41974

Url: http://seclists.org/fulldisclosure/2022/Oct/25

Url: https://security-tracker.debian.org/tracker/CVE-2022-41974

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIGZM5NOOMFDCITOLQEJNNX5SCRQLQVV/

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2022-41974

Url: https://github.com/opensvc/multipath-tools/releases/tag/0.9.2

Url: http://seclists.org/fulldisclosure/2022/Dec/4

Url: http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QIGZM5NOOMFDCITOLQEJNNX5SCRQLQVV/

Url: https://www.mend.io/vulnerability-database/CVE-2022-41974

Severity Score

8.2

Weakness Type (CWE)

Improper Privilege Management

CWE-269

Top Fix

Upgrade Version

Upgrade to version 0.9.2

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-41974

Good to know:

Date: October 29, 2022

Language: C

Severity Score

Related Resources (19)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?