vulnerability
Arch Linux: Information disclosure (CVE-2017-10140)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:N/C:P/I:P/A:P) | Apr 16, 2018 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
Published
Apr 16, 2018
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
It was found that Berkeley DB reads the DB_CONFIG configuration file from the current working directory by default. This happens when calling db_create() with dbenv=NULL; or using the dbm_open() function. This behavior leads to a security vulnerability because in the case of setuid or setgid commands, excerpts of the file are revealed to the calling user (and maybe more harm could be done with specially crafted DB_CONFIG files).
Solution
arch-linux-upgrade-latest
References
- CVE-2017-10140
- https://attackerkb.com/topics/CVE-2017-10140
- URL-http://seclists.org/oss-sec/2017/q3/285
- URL-http://www.postfix.org/announcements/postfix-3.2.2.html
- URL-https://access.redhat.com/errata/RHSA-2019:0366
- URL-https://security.archlinux.org/ASA-201711-32
- URL-https://www.oracle.com/security-alerts/cpujul2020.html
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.