CVE-2009-3611

common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes certain permissions to 0777 before deleting the files in an old backup snapshot, which allows local users to obtain sensitive information by reading these files, or interfere with backup integrity by modifying files that are shared across snapshots.

Published: Oct 26, 2009
Updated: May 9, 2024
CVE: CVE-2009-3611
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Low
Score: 3.6
AV:L/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-732
CWE-264

Affected Software
References

Software	From	Fixed in
le-web / backintime	0.9.26	0.9.26.x
fedoraproject / fedora	11	11.x
fedoraproject / fedora	10	10.x

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543785
http://bugs.gentoo.org/show_bug.cgi?id=289047
http://ftp.debian.org/debian/pool/main/b/backintime/backintime_0.9.26-3.diff.gz
http://marc.info/?l=oss-security&m=125553645511436&w=2
http://marc.info/?l=oss-security&m=125554894700336&w=2
https://bugs.launchpad.net/ubuntu/+source/backintime/+bug/434256
https://bugzilla.redhat.com/show_bug.cgi?id=520210
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00821.html
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00823.html

Vulnerability Database

289,697

CVE-2009-3611