References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Known Affected Software Configurations Switch to CPE 2.2

Change History

NIST AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

NIST CWE-639

OR
     *cpe:2.3:a:9front:lib9p:*:*:*:*:*:*:*:* versions up to (excluding) 2024-08-24

https://git.9front.org/plan9front/plan9front/07aa9bfeef55ca987d411115adcfbbd4390ecf34/commit.html No Types Assigned

https://git.9front.org/plan9front/plan9front/07aa9bfeef55ca987d411115adcfbbd4390ecf34/commit.html Patch

A bug in the 9p authentication implementation within lib9p allows an attacker with an existing valid user within the configured auth server to impersonate any other valid filesystem user.

This is due to lib9p not properly verifying that the uname given in the Tauth and Tattach 9p messages matches the client UID returned from the factotum authentication handshake.


The only filesystem making use of these functions within the base 9front systems is the experimental hjfs disk filesystem, other di

9front CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:C/RE:L/U:Red

9front CWE-639

9front https://git.9front.org/plan9front/plan9front/07aa9bfeef55ca987d411115adcfbbd4390ecf34/commit.html [No types assigned]