CVE-2015-1340 — Race condition in github.com/lxc/lxd

Description

A race between chown and chmod operations during a container filesystem shift may allow a user who can modify the filesystem to chmod an arbitrary path of their choice, rather than the expected path.

How to fix CVE-2015-1340

To remediate CVE-2015-1340, upgrade the affected package to a fixed version below.

Go/github.com/lxc/lxd—upgrade to 0.0.0-20151004155856-19c6961cc101 or later
—upgrade to 0.0.0-20151004155856-19c6961cc101 or later

Is CVE-2015-1340 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.0.0-20151004155856-19c6961cc101
from 0, < 0.0.0-20151004155856-19c6961cc101

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1340
PATCHgithub.com/lxc/lxd
WEBbugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270
WEBgithub.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4
WEB