FKIE_CVE-2024-26307

Vulnerability from fkie_nvd - Published: 2024-03-21 10:15 - Updated: 2025-06-17 13:50
Severity ?
5.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Summary
Possible race condition vulnerability in Apache Doris. Some of code using `chmod()` method. This method run the risk of someone renaming the file out from under user and chmodding the wrong file. This could theoretically happen, but the impact would be minimal. This issue affects Apache Doris: before 1.2.8, before 2.0.4. Users are recommended to upgrade to version 2.0.4, which fixes the issue.
References
security@apache.orghttp://www.openwall.com/lists/oss-security/2024/03/21/2Mailing List
security@apache.orghttps://lists.apache.org/thread/5shhw8x8m271hd2wfwzqzwgf36pmc4plMailing List
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2024/03/21/2Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread/5shhw8x8m271hd2wfwzqzwgf36pmc4plMailing List
Impacted products
Vendor Product Version
apache doris *
apache doris *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:doris:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B75564F-3C9C-452E-BD4C-6A9C706EE8B5",
              "versionEndExcluding": "1.2.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:doris:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7296FBE-665A-464B-8A52-5ED73CEA5D6A",
              "versionEndExcluding": "2.0.4",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Possible race condition vulnerability in Apache Doris.\nSome of code using `chmod()` method. This method run the risk of someone renaming the file out from under user and chmodding the wrong file.\nThis could theoretically happen, but the impact would be minimal.\nThis issue affects Apache Doris: before 1.2.8, before 2.0.4.\n\nUsers are recommended to upgrade to version 2.0.4, which fixes the issue."
    },
    {
      "lang": "es",
      "value": "Posible vulnerabilidad de condici\u00f3n de ejecuci\u00f3n en Apache Doris. Parte del c\u00f3digo que utiliza el m\u00e9todo `chmod()`. Este m\u00e9todo corre el riesgo de que alguien cambie el nombre del archivo por debajo del usuario y modifique el archivo incorrecto. En teor\u00eda, esto podr\u00eda suceder, pero el impacto ser\u00eda m\u00ednimo. Este problema afecta a Apache Doris: antes de 1.2.8, antes de 2.0.4. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.0.4, que soluciona el problema."
    }
  ],
  "id": "CVE-2024-26307",
  "lastModified": "2025-06-17T13:50:12.777",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-21T10:15:07.527",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2024/03/21/2"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.apache.org/thread/5shhw8x8m271hd2wfwzqzwgf36pmc4pl"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2024/03/21/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.apache.org/thread/5shhw8x8m271hd2wfwzqzwgf36pmc4pl"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.