CVE-2017-10140
db4.7 - security update
7.8
HIGH
CVSS 3.1
EPSS 0.30%
Description
Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.
How to fix CVE-2017-10140
To remediate CVE-2017-10140, upgrade the affected package to a fixed version below.
- —upgrade to 5.1.29-5+deb7u1 or later
- —upgrade to 4.7.25-21+deb7u1 or later
- —upgrade to 4.8.30-12+deb7u1 or later
- —upgrade to 5.3.28-13.1 or later
Is CVE-2017-10140 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 5.1.29-5+deb7u1
- from 0, < 4.7.25-21+deb7u1
- from 0, < 4.8.30-12+deb7u1
- from 0, < 5.3.28-13.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |