CVE-2013-1813
high
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
7.2
Description
util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Red Hat Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| 6.0 | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1:1.20.0-8 |
| sid | Fixed | 1:1.20.0-8 |
| forky | Fixed | 1:1.20.0-8 |
| bullseye | Fixed | 1:1.20.0-8 |
| bookworm | Fixed | 1:1.20.0-8 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| busybox | busybox | {"endIncluding":"1.20.2"} | |
| busybox | busybox | 0.38 | |
| busybox | busybox | 0.39 | |
| busybox | busybox | 0.40 | |
| busybox | busybox | 0.41 | |
| busybox | busybox | 0.42 | |
| busybox | busybox | 0.43 | |
| busybox | busybox | 0.45 | |
| busybox | busybox | 0.46 | |
| busybox | busybox | 0.47 | |
| busybox | busybox | 0.48 | |
| busybox | busybox | 0.49 | |
| busybox | busybox | 0.50 | |
| busybox | busybox | 0.51 | |
| busybox | busybox | 0.52 | |
| busybox | busybox | 0.60.0 | |
| busybox | busybox | 0.60.1 | |
| busybox | busybox | 0.60.2 | |
| busybox | busybox | 0.60.3 | |
| busybox | busybox | 0.60.4 | |
| busybox | busybox | 0.60.5 | |
| busybox | busybox | 1.00 | |
| busybox | busybox | 1.01 | |
| busybox | busybox | 1.1.0 | |
| busybox | busybox | 1.1.1 | |
| busybox | busybox | 1.1.2 | |
| busybox | busybox | 1.1.3 | |
| busybox | busybox | 1.2.0 | |
| busybox | busybox | 1.2.1 | |
| busybox | busybox | 1.2.2 | |
| busybox | busybox | 1.2.2.1 | |
| busybox | busybox | 1.3.0 | |
| busybox | busybox | 1.3.1 | |
| busybox | busybox | 1.3.2 | |
| busybox | busybox | 1.4.0 | |
| busybox | busybox | 1.4.1 | |
| busybox | busybox | 1.4.2 | |
| busybox | busybox | 1.5.0 | |
| busybox | busybox | 1.5.1 | |
| busybox | busybox | 1.6.0 | |
| busybox | busybox | 1.6.1 | |
| busybox | busybox | 1.7.0 | |
| busybox | busybox | 1.7.1 | |
| busybox | busybox | 1.7.2 | |
| busybox | busybox | 1.7.3 | |
| busybox | busybox | 1.8.0 | |
| busybox | busybox | 1.8.1 | |
| busybox | busybox | 1.8.2 | |
| busybox | busybox | 1.9.0 | |
| busybox | busybox | 1.9.1 | |
| busybox | busybox | 1.9.2 | |
| busybox | busybox | 1.10.0 | |
| busybox | busybox | 1.10.1 | |
| busybox | busybox | 1.10.2 | |
| busybox | busybox | 1.10.3 | |
| busybox | busybox | 1.10.4 | |
| busybox | busybox | 1.11.0 | |
| busybox | busybox | 1.11.1 | |
| busybox | busybox | 1.11.2 | |
| busybox | busybox | 1.11.3 | |
| busybox | busybox | 1.12.0 | |
| busybox | busybox | 1.12.1 | |
| busybox | busybox | 1.12.2 | |
| busybox | busybox | 1.12.3 | |
| busybox | busybox | 1.12.4 | |
| busybox | busybox | 1.13.0 | |
| busybox | busybox | 1.13.1 | |
| busybox | busybox | 1.13.2 | |
| busybox | busybox | 1.13.3 | |
| busybox | busybox | 1.13.4 | |
| busybox | busybox | 1.14.0 | |
| busybox | busybox | 1.14.1 | |
| busybox | busybox | 1.14.2 | |
| busybox | busybox | 1.14.3 | |
| busybox | busybox | 1.14.4 | |
| busybox | busybox | 1.15.0 | |
| busybox | busybox | 1.15.1 | |
| busybox | busybox | 1.15.2 | |
| busybox | busybox | 1.15.3 | |
| busybox | busybox | 1.16.0 | |
| busybox | busybox | 1.16.1 | |
| busybox | busybox | 1.16.2 | |
| busybox | busybox | 1.17.0 | |
| busybox | busybox | 1.17.1 | |
| busybox | busybox | 1.17.2 | |
| busybox | busybox | 1.17.3 | |
| busybox | busybox | 1.17.4 | |
| busybox | busybox | 1.18.0 | |
| busybox | busybox | 1.18.1 | |
| busybox | busybox | 1.18.2 | |
| busybox | busybox | 1.18.3 | |
| busybox | busybox | 1.18.4 | |
| busybox | busybox | 1.18.5 | |
| busybox | busybox | 1.19.0 | |
| busybox | busybox | 1.19.2 | |
| busybox | busybox | 1.19.3 | |
| busybox | busybox | 1.19.4 | |
| busybox | busybox | 1.20.0 | |
| busybox | busybox | 1.20.1 | |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701965
- http://git.busybox.net/busybox/commit/?id=4609f477c7e043a4f6147dfe6e86b775da2ef784
- http://lists.busybox.net/pipermail/busybox/2013-January/078864.html
- http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html
- http://rhn.redhat.com/errata/RHSA-2013-1732.html
- http://seclists.org/fulldisclosure/2019/Jun/18
- http://seclists.org/fulldisclosure/2020/Aug/20
- http://seclists.org/fulldisclosure/2020/Mar/15
- https://seclists.org/bugtraq/2019/Jun/14
- https://support.t-mobile.com/docs/DOC-21994
- https://security-tracker.debian.org/tracker/CVE-2013-1813
CWEs
CWE-264
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.