CVE-2022-41973 Debian — Exploit & Vulnerability Details HIGH

Parameter	Value
CVSS	7.8 (HIGH)
Affected Versions	0.7.7 — 0.9.2
Fixed In	0.9.2
Type	CWE-59 (Improper Link Resolution)
Vendor	Debian
Public PoC	Yes

multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

Low

Easy to exploit

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-59 Improper Link Resolution

Vulnerable Products 3

Configuration	From (including)	Up to (excluding)
Opensvc Multipath-Tools cpe:2.3:a:opensvc:multipath-tools::::::::	`0.7.7`	`0.9.2`
Fedoraproject Fedora cpe:2.3:o:fedoraproject:fedora:36:::::::*	—	—
Debian Debian_Linux cpe:2.3:o:debian:debian_linux:10.0:::::::*	—	—